The POODLE SSL vulnerability marks the third major security flaw discovered this year that impacts the security of millions of websites.

The attack works by forcing the connection to downgrade from the newer TLS protocol to the 18 year old SSL 3 protocol, which is obsolete and insecure, and then utilizing a weakness to calculate small strings of data from the encrypted communication, such as session cookies.

Check to see if your webservers are vulnerable using our free tools such as:

• https://www.poodletest.com/
• Use tools that support TLS_FALLBACK_SCSV, a mechanism that prevents attackers from forcing Web browsers to use SSL 3.0.
• Disable SSL 3.0 altogether, or disable SSL 3.0 CBC-mode ciphers
• Be leery of any spam messages from scammers trying to capitalize on uncertainty and a lack of technical knowledge.

Google added that it will remove SSL 3.0 support from all of its products in the next few months. Mozilla also said it would disable SSL 3.0 in FireFox 34, which already been released.

For Apache-based web server, specific step can be take as below:

1. Removes SSLv2 and SSLv3 support in your configuration file: SSLProtocol All -SSLv2 -SSLv3
2. Test your configuration> apachectl configtest
3. Restart server sudo service apache restart

Google Security Team member, Bodo Möller, explains the mitigation as:

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Anyone on Windows XP, abandon ship

This situation may be the final nail in the coffin of Internet Explorer on Windows XP, since all versions are vulnerable and Microsoft is no longer issuing security patches for those systems. Chrome or Firefox may be used on Windows XP as they have their own network stacks not dependent upon Microsoft for updates. But there are other security problems with the platform and to continue to use it, especially for business is negligence. Use at your own risk.

Further reading:

• This POODLE Bites: Exploiting The SSL 3.0 Fallback
• Disabling SSLv3 Support in Browsers
• Protect your Server Against the POODLE SSLv3 Vulnerability

Tags: poodle vulnerability sslv3