|Note: This article refers to: 2014-10-15 SSL 3.0 Vulnerability Disclosed
As vendors roll out patches for this vulnerability, the information in this article will be updated.
A serious vulnerability against Secure Sockets Layer (SSL) version 3.0 has been discovered. This comes on the heels of finding several other (unrelated) vulnerabilities this year, including Heartbleed in April and Shellshock in September.
SSL is one of the protocols used to secure Internet traffic from eavesdroppers. SSL 3.0 is nearly 18 years old and obsolete but most browsers and web servers still allow its use for legacy browsers and/or server compatibility.
This attack, nicknamed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows a man-in-the-middle — such as a malicious Wi-Fi hotspot — to extract data from secure web connections (also known as HTTPS). If successful, an attacker could gain access to online accounts by hijacking session cookies and bypassing the login mechanisms protecting certain accounts.
To deflect this attack, browser users and website administrators need to turn off SSL 3.0 and use a more modern security protocol as soon as possible, such as TLS (Transport Layer Security). The recommendation is to support TLS_FALLBACK_SCSV.
Currently, browsers allow for a protocol downgrade, meaning that if TLS 1.2 isn’t possible, the connection downgrades to an earlier version (such as TLS 1.1, and on until it reaches SSL 3.0). If an attacker causes a connection failure, they can trigger the use of SSL 3.0. Turning off SSL 3.0 would mitigate this vulnerability.
Google’s engineers discovered and disclosed the vulnerability in SSL 3.0.
Chrome 39, released on November 18, removed support for the fallback to SSL 3.0. The company hopes to remove support for SSL 3.0 entirely from their client products in the coming months.
An SSL Version Control add-on can be installed to turn off SSL 3.0 by default.
Mozilla turned off SSL 3.0 in Firefox 34, which was released on December 1st. Firefox 35, to be released on January 13, 2015 will support the TLS_FALLBACK_SCSV mechanism. Look under Preferences / Advanced / Update and make sure that “Automatically install updates” is checked.
On October 16, Apple issued a security update (Security Update 2014-005) to address this issue. It can be downloaded and installed using Software Update in your Mac’s Apple menu, or from the Apple Support website. Apple has not yet released an update for Safari on Windows.
On December 9, Microsoft updated Internet Explorer version 11 by giving Windows admins the ability to disable SSL 3.0 for sites in Protected Mode. Microsoft plans to make this happen by default in Internet Explorer 11 when it releases additional updates on February 10, 2015.
For browsers which have not yet been updated with a patch: See the workaround steps one can take to disable SSL 3.0.
If you host a website, update it to use a more recent security standard.
|Warning: Disabling SSL 3.0 entirely may cause problems for legacy systems.|
Note that the TLS_FALLBACK_SCSV value doesn’t actually resolve the POODLE vulnerability, it just means that clients and servers can continue to support SSL 3.0 where needed without exposing everyone to the same risk. Ideally, SSL 3.0 should be de-supported altogether and clients/servers should move to a newer and better protocol such as TLS.