On October 14, 2014, Bodo Möller, from the Google Security Team, released a statement that he and two others at Google had discovered a vulnerability in SSL 3.0 that could allow a hacker access to an Internet user’s browsing session and personal account information online.
SSL stands for “Secure Sockets Layer” and its purpose is to encrypt data while users browse the Internet. SSL 3.0 is old technology. TLS (Transport Layer Security) is the newer encryption protocol.
Möller stated, “SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.”
This flaw is being referred to as the POODLE (Padding Oracle on Downloaded Legacy Encryption) bug.
A New York Times article and Time magazine report that home users are not likely to be attacked. Nicole Perlroth, on the New York Times Security blog, reports “to pull off an a Poodle attack security researchers say that the victim has to be actively online and physically close to the attacker — say, using the same public Wi-Fi.”
Still, Möller and the other Googlers, are recommending shutting down SSL 3.0 altogether by taking away the option to downgrade from TLS for browsers. Google Chrome is being tested with changes that disable the fallback to SSL 3.0.
Other browsers and servers are following suit. Mozilla is expected to disable SSL 3.0 in the next version of the Firefox browser, to be released in November. Twitter has disabled support for SSL 3.0. CloudFare CEO Matthew Prince announced: “CloudFlare has disabled SSLv3 across our network by default for all customers. This will have an impact on some older browsers, resulting in an SSL connection error. The biggest impact is Internet Explorer 6 running on Windows XP or older.”
Internet Explorer 6 uses TLS, but not by default. Internet Explorer 6 users are going to have a harder time accessing sites across the Internet with web servers disabling fallback to SSL 3.0.
If you want to command your browser not to use SSL 3.0, Mozilla has a link to instructions for Firefox in their security blog: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
For Internet Explorer, go to Internet Options on the Tools menu and click on the Advanced tab. Uncheck the box next to SSL 3.0.
To check your browser, click on https://zmap.io/sslv3/. You will either get a red warning box stating that your browser supports SSL v3 or a blue box stating, ” Good News! Your browser does not support SSLv3.”
Excluding SSL 3.0 in your browser is a step for extra security. It may not be necessary for most home users, or for those on a closed network. It is most necessary for those who use public WiFi.
Security risks like this keep cyber security consulting firms like Landon Technologies busy. Let us know if we can ever help your organization combat cybersecurity!