Earlier today, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz released a paper discussing a serious bug in SSL 3.0 that allows attackers to conduct man-in-the-middle attacks and decrypt the traffic between Web servers and end users. For example, if you're shopping online with your credit card, you may think that your information is secure but thanks to this bug (known as POODLE) it may actually be at risk. An attacker can hijack your transaction, retrieve your credit card information, or even change your order. The bullet points below summarize some key points of this vulnerability:
- CVE ID: CVE-2014-3566
- Popular name: POODLE (Padding Oracle On Downgraded Legacy Encryption)
- Vulnerabilty: SSL 3.0 fallback bug
- Attack vector: Man-in-the-middle
Figure 1: Attackers may force the communication between a client and server to downgrade from TLS to SSL 3.0 to be able to decrypt the network communicationCountermeasures This vulnerability can be avoided if the SSL 3.0 protocol is disabled. Site administrators can disable support for this on their side; for example these instructions show how to do this in Apache. End users can disable SSL 3.0 support on their end as well, through the following steps:
- For Chrome users, running Chrome with the command Chrome.exe --ssl-version-min=tls1 will specify that the minimum version of SSL that will be used is TLS 1.0.
- In Firefox, type about:config in the search bar to change settings. Search for the keyword security.tls.version.min and set the value to 1 to disable SSL 3.0 support.
- Internet Explorer users can follow the steps in Security Advisory 3009008 to disable SSL 3.0
- Disable SSL 2.0 and SSL 3.0 in IIS 7 via using this to protect the server.
- Protect Apache httpd + mod_ssl using the command: SSLProtocol All -SSLv2 –SSLv3
- Protect nginx using command: ssl_protocols TLSv1 TLSv1.1 TLSv1.2
- 1006293 - Detected SSLv3 Request
- 1006296 - Detected SSLv3 Response