A new vulnerability was disclosed yesterday in the SSL 3.0 protocol. Labelled Poodle (Padding Oracle On Downgraded Legacy Encryption), the vulnerability can enable crucial information to be intercepted by third parties in communications with servers which enable SSL 3.0.
What is the issue?
The issue is not linked to the SSL Certificates themselves but to the version of the protocol used when carrying out encrypted transactions. A vulnerability was discovered in the SSL 3.0 protocol, which can allow an attacker to have access to personal information such as passwords and cookies.
SSL 3.0 is still widely used, even though it is 18 years old, and the more secure TLS protocol has been available for 15 years. To achieve secure encryption, SSL 3.0 must be disabled entirely to protect against downgrade attacks.
What should I do?
As a server administrator, you will need to follow these steps:
1. Check if your server is configured to allow communications over SSL 3.0. You can do this by executing the following OpenSSL command:
openssl s_client -ssl3 -connect [host]:[port]
If SSL 3.0 is disabled, you will see this notification:
SSL routines:SSL3_READ_BYTES:sslv3 alert handshakefailure:/xx/src/ssl/s3_pkt.c:xxxx:SSL alert number 40SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/xx/src/ssl/s3_pkt.c:xxx:
2. Fully disable SSL 3.0
3. Only enable the secure protocols TLS 1.0 and above
You can refer to the following links for assistance and instructions on how to disable SSL 3.0 for the most popular servers:
Apache: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol
Nginx: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
IIS: http://support2.microsoft.com/kb/187498
Website users should also configure their browsers to disallow communications over SSL v3.0. The main browser providers are planning to do this by default in their next releases, so make sure you always upgrade to the latest browser version, and check regularly with your provider for the latest information.
About the GlobalSign systems
SSL 3.0 is disabled both on our company websites as well as our GCC system. If you are having issues accessing these sites, please use browsers which support TLS 1.0 +.
References
This POODLE Bites: Exploiting The SSL 3.0 Fallback: https://www.openssl.org/~bodo/ssl-poodle.pdf
Microsoft Security Advisory 3009008: https://technet.microsoft.com/en-us/library/security/3009008
