How To Protect Against the POODLE SSLv3 Vulnerability
The POODLE SSL vulnerability marks the third major security flaw discovered this year that impacts the security of millions of websites.
The attack works by forcing the connection to downgrade from the newer TLS protocol to the 18 year old SSL 3 protocol, which is obsolete and insecure, and then utilizing a weakness to calculate small strings of data from the encrypted communication, such as session cookies.
Google Security Team member, Bodo Möller, explains the mitigation as:
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
If you run servers
Unless you have a worldwide audience with significant usage of obsolete browsers, such as Internet Explorer 6, then disabling SSL v3 is to be preferred over just adding TLS_FALLBACK_SCSV. Therefore, I suggest taking immediate action to disable SSL v3 in your configuration. Remember that this not only impacts your web server, but also your e-mail server that negotiates secure connections to clients and also to other e-mail servers. See the How To Protect your Server Against the POODLE SSLv3 Vulnerability tutorial over Digital Ocean.
If you do not run servers, but want to protect yourself
The best thing is to disable SSLv3 support in your web browser so that you cannot be made a victim while connecting to a server that continues to support old, obsolete protocols. See the Disabling SSLv3 Support in Browsers tutorial (with pictures) over at zmap.io.
Anyone on Windows XP, abandon ship
This situation may be the final nail in the coffin of Internet Explorer on Windows XP, since all versions are vulnerable and Microsoft is no longer issuing security patches for those systems. Chrome or Firefox may be used on Windows XP as they have their own network stacks not dependent upon Microsoft for updates. But there are other security problems with the platform and to continue to use it, especially for business is negligence.
Further reading
- This POODLE Bites: Exploiting The SSL 3.0 Fallback (openssl.org - PDF)