To: Security_SIG; IT Partners; IT Leaders
Subject: SSL 3.0 Vulnerability Disclosed
Engineers at Google have disclosed a vulnerability in SSL 3.0 that can allow a network attacker to decrypt the contents of certain encrypted web communications.
The exploit is being called POODLE (Padding Oracle On Downgraded Legacy Encryption) and is made possible by the abuse of a deprecated encryption protocol included in most web browsers, and web servers, for legacy site and/or browser compatibility.
As a result of this disclosure, both Google and Mozilla have committed to completely removing SSL 3.0 from Firefox and Chrome in the coming months. In the coming days, we expect to see other browser makers, specifically Microsoft (Internet Explorer) and Apple (Safari), publish plans on how they will be protecting users from the POODLE vulnerability.
IS&T plans to upgrade all of its impacted systems to remove SSL 3.0 support and is working to identify non-IS&T sites across the MIT community that are still using SSL 3.0 to secure communications. Once the discovery effort is complete, notifications will be sent out to the administrators of the impacted sites.
IS&T will update this thread as more information is made available from browser makers and as stop-gap mitigation steps are published.
Massachusetts Institute of Technology
Information Systems & Technology (IS&T)
Imperial Violet: https://www.imperialviolet.org/2014/10/14/poodle.html
POODLE Technical Paper: https://www.openssl.org/~bodo/ssl-poodle.pdf
US-CERT Alert: https://www.us-cert.gov/ncas/alerts/TA14-290A