SSL v3.0 protocol vulnerability
Secure Sockets Layer (SSL) is a cryptographic protocol that allows information passed between the web server and browsers to be private and secure. SSL is most often used in websites in order to make sure that data entered in the website remains private.
A POODLE (Padding Oracle On Downgraded Legacy Encryption) attack can be performed on browser-based communications that use the SSL v3.0 protocol for encryption, and it would allow attackers to decrypt the connection and get the transmitted data.
Recommendations for users:
- Disable SSL v3.0;
- Use a different encryption algorithm in the SSL v3.0 protocol.
Disabling SSL v3.0 support on browsers:
- Type in about:config into the browser address bar → select security.tls.version.min → click Modify and set value 1.
Only protocols TLSv1, TLSv1.1 and TLSv1.2 will be used.
- Open Setting menu → select Internet Options → click Advanced tab → uncheck the SSLv3 box.
- For Safari users, it is enough to merely install updates.
Turning off SSL v3.0 support on servers:
“Apache” HTTP server:
- Add unused protocols SSLProtocol All -SSLv2 -SSLv3 to the server’s ssl configuration file.
- Add list of used protocols ssl_protocols TLSv1 TLSv1.1 TLSv1.2 to the server’s ssl configuration file.
- Add smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 to the server’s main.cf configuration file.
Microsoft IIS Internet Information Server:
- Make the following changes in the server’s registry: Hkey_Local_MachineSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSS L 3.0Server set value to 0 in “Enabled”.