Alice&Bob: A new vulnerability was disclosed yesterday by Google in the SSL 3.0 protocol
October 2014 by Alice&Bob
Labelled Poodle (Padding Oracle On Downgraded Legacy Encryption), the vulnerability can enable crucial information to be intercepted by third parties in communications with servers which enable SSL 3.0.
What is the issue?
The issue is not linked to the SSL Certificates themselves but to the version of the protocol used when carrying out encrypted transactions. A vulnerability was discovered in the SSL 3.0 protocol, which can allow an attacker to have access to personal information such as passwords and cookies.
SSL 3.0 is still widely used, even though it is 18 years old, and the more secure TLS protocol has been available for 15 years. To achieve secure encryption, SSL 3.0 must be disabled entirely to protect against downgrade attacks.
What should I do?
As a server administrator, you will need to follow these steps:
1. Check if your server is configured to allow communications over SSL 3.0. You can do this by executing the following OpenSSL command:
openssl s_client -ssl3 -connect [host]:[port]
If SSL 3.0 is disabled, you will see this notification:
SSL routines:SSL3_READ_BYTES:sslv3 alert handshakefailure:/xx/src/ssl/s3_pkt.c:xxxx:SSL alert number 40SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/xx/src/ssl/s3_pkt.c:xxx:
2. Fully disable SSL 3.0
3. Only enable the secure protocols TLS 1.0 and above
You can refer to the following links for assistance and instructions on how to disable SSL 3.0 for the most popular servers:
Apache: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol