The term “secure” can only mean so much, especially in the case of the Secure Sockets Layer (SSL) version 3.0, a widely-used security protocol that is apparently not so secure at all.
Google researchers released news of a vulnerability found in the 15-year old design of SSL 3.0. Since the versions are previously acknowledged as insecure and obsolete, it has already been replaced with the subsequent Transport Layer Security (TLS) model.
However, in the security advisory released by researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz, it was pointed out that “the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance.” Simply put, this is when web admins are essentially trapped into using this version for it to work with their other legacy systems.
“Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today,” the researchers noted. They also promote the use of the TLS_FALLBACK_SCSV mechanism as a response.
However, for the Internet public at large, the largest concern is on web browsers and online transactions. To put it more concretely, this flaw may allow attackers to now see your online transactions, retrieve payment details, and even change your order—even if you see that trusted secure lock on the upper left corner of your browser.
With what researchers have found about SSL 3.0, an attacker can simply conduct man-in-the-middle attacks between the web server and the browser to capture information. Running what they dubbed as the Padding Oracle On Downgraded Legacy Encryption or POODLE attack, the group established how this flaw allows attackers, “for example, to steal ‘secure’ HTTP cookies.”
If you’re an avid online shopper and online banking site user, or rely on secure online transactions, there are a number of ways to counteract this threat. The key is to block it straightaway. Disable SSL 3.0 from browsers that support it, especially as not doing so can open you to attacks from sites that emulate the POODLE scenario.
This may not bode well for Internet Explorer (IE) 6, which is known to support SSL 3.0 alone—the resulting next step for users of which is to upgrade to the latest browser version.
Here are a few specific steps for end users to disable SSL 3.0:
For Chrome users, type “Chrome.exe --ssl-version-min=tls1” to limit the use of TLS 1.x as minimum and never go down to SSL 3.0
For Firefox users, type “about:config” in search bar to change configuration. Search keyword “security.tls.version.min” and set the value to 1 to disable the SSL 3.0 support.
Meanwhile, for web admins who want to ensure SSL 3.0 servers are disabled: