Secure Sockets Layer (SSL) is a predecessor protocol to TLS – Transport Layer Security. These encryption technologies have been until recently, used concurrently.
A vulnerability using the acronym POODLE (Padding Oracle On Downgraded Legacy Encryption) has recently been discovered, and while there are no currently known active exploits, it is still a cause for concern.
What does the vulnerability expose?
Attackers can use the vulnerability to man-in-the-middle systems, stealing (amongst other things) passwords and institutional data.
Who will this affect?
The vulnerability will affect everyone. All Internet/web enabled or connected user traffic still using the out dated SSL protocol.
Recommended Course of Action
The only way to fix Poodle is to disable all versions of SSL on the server and client. The important thing to take away from this note is that venders such as Mozilla WILL begin disabling SSL3.0 on November 25, 2014. Other venders are likely to follow suit shortly thereafter. There are NO negotiations or say in the matter.
System Administrators and Self-managed Units
Start evaluating your systems and disabling SSLv2.0 and 3.0, sooner rather than later to figure out which of supported applications may be affected.
Most applications presently utilize TLS, so the transition in terms of end user experience, for most applications should be transparent. It is the older home grown and/or legacy type applications that would need additional attention to see if they are still functional given the switch.
Units are encouraged to work directly with their support staff and/or vendor(s), if support contract exists, for updates and or patches once available.
End Users and Home Users
Make sure your systems are set to automatically pull in and run updates as soon as they are available. Check with your local IT staff or browser vendor's website to see when an update to disable SSL in the browser (client) might be available for install.
For your home or personal machines:
Apple Safari users - Run software update
Firefox users - Update to the most current version. Then:
Open up a browser and type in: about:config
In the search field type: security.tls.version.min
Double click the entry fore security.tls.version.min and manually change the figure to 1
For Mac: Chrome will update automatically - no manual configuration necessary.
Right click at your Chrome's desktop icon
At the end of the target field enter:
" --ssl-version-min=tls1" (with space but without quotes).
Reboot Chrome completely via the menu or with [ctrl + shift + Q].
Go to Control Panel
Scroll toward the bottom of the list and uncheck SSL 2.0 and 3.0
Click Apply and close out.
How POODLE Happened
Mozilla Blog: The POODLE attack and the End of the SSL3.0
Test for web browsers