In a clear indication that underlines the importance of keeping software up-to-date, Google yesterday announced the uncovering of a bug in SSL 3.0, which is a standard of SSL that is 15 years old. The discovered bug, named POODLE, would render transactions originating from certain outdated browsers and/or Operating Systems vulnerable to attacks.
The key point, though, is that even though newer and more secure versions of SSL are out and are being used, browsers work with older protocols when connections fail. This means an attacker can cause connection problems with the intent of triggering a deprecated version of SSL, leading to the exploitation of the service and allowing for once-encrypted information to be seen in plain-text. The newly disclosed vulnerability in SSL 3.0 does exactly this. The term ‘POODLE’ is an acronym for Padding Oracle On Downgraded Legacy Encryption. You can read more about Google’s assessment of the bug on it’s Online Security Blog.
As soon as this flaw was announced, we removed access through SSL 3.0 to our servers and there is no reason to suspect any security breach. We strongly suggest that you take note of these developments and take steps to protect yourself against the POODLE loophole.
How does this affect you?
If you’re in the less than one percent of users relying on outdated browsers, simply download a newer client such as Mozilla Firefox or Google Chrome. The latest clients leverage a more secure protocol than SSL known as TLS and have the added benefit of updating automatically which can help you remain secure in the future!
If you are using Chrome, you can get rid of SSL 3.0 by using the command line flag –ssl-version-min=tls1 to do so.
If you are using the latest version of Firefox, it will be disabling SSL 3.0 in its November 25th update by default. However, you don’t have to wait for that update. Mozilla has created a plugin that will allow you to set the minimum SSL version that Firefox will accept. Some other workarounds to patch this vulnerability can be found here.
If you are using Internet Explorer 11, you can disable SSL 3.0 support by going to: Setting -> Internet Options -> Advanced Tab -> Uncheck “SSLv3″ under “Security”.
We strongly suggest that you communicate the discovery of this bug and its remedy to all your clients.
If you’re a LogicBoxes Partner, stay tuned to our forums for further updates! Feel free to get in touch with us if you need any further information!