Access Keys:
Skip to content (Access Key - 0)

Q: How to Protect Against the SSL 3.0 Vulnerability

Note: This article refers to: 2014-10-15 SSL 3.0 Vulnerability Disclosed

As vendors roll out patches for this vulnerability, the information in this article will be updated.

Answer

A serious vulnerability against Secure Sockets Layer (SSL) version 3.0 has been discovered. This comes on the heels of finding several other (unrelated) vulnerabilities this year, including Heartbleed in April and Shellshock in September.

SSL is one of the protocols used to secure Internet traffic from eavesdroppers. SSL 3.0 is nearly 18 years old and obsolete but most browsers and web servers still allow its use for legacy browsers and/or server compatibility.

This attack, nicknamed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows a man-in-the-middle — such as a malicious Wi-Fi hotspot — to extract data from secure web connections (also known as HTTPS). If successful, an attacker could gain access to online accounts by hijacking session cookies and bypassing the login mechanisms protecting certain accounts.

To deflect this attack, browser users and website administrators need to turn off SSL 3.0 and use a more modern security protocol as soon as possible, such as TLS (Transport Layer Security). The recommendation is to support  TLS_FALLBACK_SCSV

Currently, browsers allow for a protocol downgrade, meaning that if TLS 1.2 isn’t possible, the connection downgrades to an earlier version (such as TLS 1.1, and on until it reaches SSL 3.0). If an attacker causes a connection failure, they can trigger the use of SSL 3.0. Turning off SSL 3.0 would mitigate this vulnerability.


What is happening or can be done?

1. Browsers: Update your browsers when patches are released by vendors

Google Chrome

Google’s engineers discovered and disclosed the vulnerability in SSL 3.0.

Chrome 39, released on November 18, removed support for the fallback to SSL 3.0. The company hopes to remove support for SSL 3.0 entirely from their client products in the coming months

Mozilla Firefox

An SSL Version Control add-on can be installed to turn off SSL 3.0 by default.

Mozilla turned off SSL 3.0 in Firefox 34, which was released on December 1st. Firefox 35, to be released on January 13, 2015 will support the TLS_FALLBACK_SCSV mechanism. Look under Preferences / Advanced / Update and make sure that “Automatically install updates” is checked. 

Apple Safari

On October 16, Apple issued a security update (Security Update 2014-005) to address this issue. It can be downloaded and installed using Software Update in your Mac’s Apple menu, or from the Apple Support website. Apple has not yet released an update for Safari on Windows.

Microsoft Internet Explorer

On December 9, Microsoft updated Internet Explorer version 11 by giving Windows admins the ability to disable SSL 3.0 for sites in Protected Mode. Microsoft plans to make this happen by default in Internet Explorer 11 when it releases additional updates on February 10, 2015

For browsers which have not yet been updated with a patch: See the workaround steps one can take to disable SSL 3.0.

A similar article can be found here.

2. Web Servers: Disable SSL 3.0

 

If you host a website, update it to use a more recent security standard. 

Warning: Disabling SSL 3.0 entirely may cause problems for legacy systems.

 
More information on mitigating risks using TLS_FALLBACK_SCSV for web servers can be found here and here.

Note that the TLS_FALLBACK_SCSV value doesn’t actually resolve the POODLE vulnerability, it just means that clients and servers can continue to support SSL 3.0 where needed without exposing everyone to the same risk. Ideally, SSL 3.0 should be de-supported altogether and clients/servers should move to a newer and better protocol such as TLS.

 

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

December 15, 2014

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
sslv3 sslv3 Delete
c-cyber-security c-cyber-security Delete
ssl ssl Delete
tsl tsl Delete
browsers browsers Delete
vulnerability vulnerability Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki