SSLv3 POODLE Bug CVE-2014-3566
What is it:
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.
POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3 which was release in 1996. It does not affect the newer encryption mechanisms known as Transport Layer Security (TLS).
I’m Just an Average Person, Am I affected?:
Most likely yes, you can test your web browser by going to https://www.poodletest.com/
How Can I Fix my Browser?
Follow some recommended steps to disable SSLv3 support in your browser. Patches and software updates are mentioned latter in this article.
Chrome – Windows
Chrome had an update released in February that added a feature that in theory protects against this vulnerability, however someone people have claimed the adding –ssl-version-min=tls1 to the short cut will disable SSLv3 and earlier but I have not seen this work as in actually disabling SSLv3.
Chrome – Linux (Ubuntu) – gertvdijk on AskUbuntu
Open /usr/share/applications/google-chrome.desktop in a text editor
For any line that begins with “Exec”, add the argument–ssl-version-min=tls1
For instance the line Exec=/usr/bin/google-chrome-stable %U should become Exec=/usr/bin/google-chrome-stable –ssl-version-min=tls1
Put “about:config” in your address bar and press enter
Search throught he list of entries for “security.tls.version.min”
Double click on this item and enter the number 1, click ok
Launch “Internet Options” from the Start Menu
Click the “Advanced” tab
Uncheck “Use SSL 3.0”
I’m a Server Admin What Can I Do to Protect My users:
Disable SSLv3 or lower on your servers, review your SSL Settings & make sure things are in the right order & following best practice which is pretty much to use TLS 1.0 or greater.
In large networks it may be necessary to deploy a group policy setting to disable SSLv3. Guide
How to I disable SSLv3 on X?:
I don’t feel that I’m experienced enough to give advice on Apache or any Linux HTTPS Deamons so I would advise that your check out the Linux community for your distro as they will most likely have information on securing your servers.
As I’m more familiar with IIS (Internet Information Server) I’m happy to provide a link to Nartac Software Inc. GUI tool that allows you to set YOUR SSL settings, I recommend you set you server to the FIPS-140-2 standard using this software.
Changing the settings on windows will also effect other services on you system so make sure you test production environments after making these changes.
How do I know if a Site I’m Visiting is Vulnerable/How do I test My site?:
Qualys, Inc. provides a wonderful tool, SSL Server Test, it can tell you how well your server is doing when it comes to your SSL configuration in general. If you don’t have an A- A or A+ ratting you seriously need to look at your websites security then again maybe you don’t give a site about the people who visit your site. (Your pretty negligent aren’t you)
But remember even if you have an A ratting your site might still be poorly configured or have other issues. e.g. Some sites preference SSLv3 over TLS even though they have TLS enabled.
When are the software updates going toe be available?:
SSLv3 = Never, the Bug is a fundamental design flaw of the protocol.
Firefox = Mozilla has indicated that a patch will be available on the 24/25th November 2014, this update will remove SSLv3 from Firefox
Chrome = Google has not specified when or iff SSLv3 will be removed yet but claims that “Any version of Chrome since February 2014 (Chrome 33 onwards) is protected against this vulnerability.” They have also said “In the coming months, we hope to remove support for SSL 3.0 completely from our client products.”
Internet Explorer = “Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs” , Microsoft provides updates after or on the Second Tuesday of the month unless need arises that it be fixed sooner. (Should be on November 11 or the day after)