Researchers at Google recently announced a vulnerability in SSLv3, one of the protocols used for web traffic security. They have dubbed this exploit ‘POODLE,’ an acronym for Padding Oracle On Downgraded Legacy.
SSLv3 is an older protocol, and has largely been replaced by the newer TLS protocol family. However, older browsers that do not support the TLS family of protocols rely exclusively on SSL. When presented with a TLS connection, browsers like IE6 will propose that the connection use SSLv3, and most servers will comply.
The root of the POODLE vulnerability is how SSLv3 encrypts data. One of two cipher methods is used, either ‘block’ or ‘stream’. Now with POODLE, neither cipher method is secure.
The status for Codero customers:
Codero Proactive and Managed Services: Our Support team corrected this issue within hours of the exploit being released. If there were additional requirements needed to finish the patching, we have notified you via email. Please check your inbox or contact support if you have any questions or concerns.
Self managed: We strongly recommend you apply one of the following POODLE fixes to your configuration:
1. Disable SSLv3
Since the exploit requires SSLv3, disabling SSLv3 is the easiest fix. If SSLv3 is disabled, IE6 users will see an SSL connection error and be unable to use your site. Due to the relative low use of IE6 (around 3.8% of all web traffic worldwide), it is our opinion that this is an acceptable compromise in the name of greater security.
2. Modify TLS Fallback Settings
As there are different versions of TLS, there’s a similar backward compatibility negotiation that can occur. To guard against a POODLE attack, we recommend implementing TLS_FALLBACK_SCSV in any fallback negotiations. This means that SSLv3 would only be used in a legacy situation, and an attacker can’t force the fallback to occur.
If you would like more detailed instruction, here is a general guide on how to resolve the POODLE flaw. Should you require assistance implementing a POODLE fix, please contact our Support staff. Our experts are standing by 24×7 to help.
Tags: online security