SSL 3.0 POODLE Attack Vulnerability

CVE-2014-3566

SSL (Secure Sockets Layer) is a protocol used to establish a secure connection between a client and server. SSL 3.0 was introduced in 1996 and is still in wide use by the internet ecosystem (clients and servers). The latest version of this protocol is TLS (Transport Layer Security) 1.2. TLS 1.2 has not been fully adopted in the internet ecosystem as a large number of legacy systems cannot support TLS. Researchers today published a vulnerability with SSL 3.0, POODLE (Padding Oracle On Downgraded Legacy Encryption), that could allow an attacker to decrypt secure cookies sent over a secure connection.

Update The Configuration Of Your Server

This vulnerability does not affect SSL Certificates. No change to existing SSL Certificates are necessary. Customers should review and update the configuration of their web servers to eliminate this vulnerability.

Important Facts

This affects all servers with SSL 3.0 enabled. Although this is a serious vulnerability, it is not at the scale of Heartbleed or Bash in terms of exposure. Hackers would need to already be in a successful Man-In-The-Middle (MITM) position to take advantage of this vulnerability.

CVE 20143566 SSL 3.0 vulnerability is with the SSL protocol.

SSL Certificates (which the SSL protocol uses to establish a secure connection) are not affected.

Existing SSL Certificates do not need to be replaced.

Organizations should disable SSL 3.0 altogether, or disable SSL 3.0 CBC-mode ciphers.

There is a possibility that an attacker who has network control can force a client and server to negotiate a SSL 3.0 connection by disrupting a proper SSL handshake. To remediate the forced downgrade vulnerability, the proper use of TLS_FALLBACK_SCSV is recommended. However, if SSL 3.0 or CBC-mode ciphers in SSL 3.0 are disabled, the forced downgrade vulnerability is less critical at this point.

More Information

Organizations with servers still running SSL 3.0 are those most at risk.

As a server administrator, you should check if your server is configured to allow communications over SSL 3.0, fully disable SSL 3.0, and only enable protocols TLS 1.0 and above.

Server administrators should implement the proper use of TLS_FALLBACK_SCSV to remediate the forced downgrade issue that is part of this vulnerability.

Consumers should disable SSL 3.0 in their browsers.

The uncertainty and lack of technical knowledge regarding this issue in the media may lead to scammers trying to capitalize on this in the form of phishing or malicious spam campaigns.