Access Keys:
Skip to content (Access Key - 0)

2014-10-15 - SSL 3.0 Vulnerability Disclosed

To: Security_SIG; IT Partners; IT Leaders
Subject: SSL 3.0 Vulnerability Disclosed
Date: 2014-10-15

Good Evening,

Engineers at Google have disclosed a vulnerability in SSL 3.0 that can allow a network attacker to decrypt the contents of certain encrypted web communications.

The exploit is being called POODLE (Padding Oracle On Downgraded Legacy Encryption) and is made possible by the abuse of a deprecated encryption protocol included in most web browsers, and web servers, for legacy site and/or browser compatibility.

As a result of this disclosure, both Google and Mozilla have committed to completely removing SSL 3.0 from Firefox and Chrome in the coming months. In the coming days, we expect to see other browser makers, specifically Microsoft (Internet Explorer) and Apple (Safari), publish plans on how they will be protecting users from the POODLE vulnerability.

IS&T plans to upgrade all of its impacted systems to remove SSL 3.0 support and is working to identify non-IS&T sites across the MIT community that are still using SSL 3.0 to secure communications. Once the discovery effort is complete, notifications will be sent out to the administrators of the impacted sites.

IS&T will update this thread as more information is made available from browser makers and as stop-gap mitigation steps are published.

Regards,
Security Operations

Massachusetts Institute of Technology
Information Systems & Technology (IS&T)
Security Operations

security@mit.edu

http://ist.mit.edu/secure

--------------------------

RELEVANT LINKS

Google Disclosure: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

Mozilla Disclosure: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

Imperial Violet: https://www.imperialviolet.org/2014/10/14/poodle.html

POODLE Technical Paper: https://www.openssl.org/~bodo/ssl-poodle.pdf

US-CERT Alert: https://www.us-cert.gov/ncas/alerts/TA14-290A 

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

October 17, 2014

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-announce c-announce Delete
ssl ssl Delete
poodle poodle Delete
security security Delete
browser browser Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki