Attack of the POODLE
Last week, a new high profile web vulnerability was disclosed, dubbed 'POODLE' (Padding Oracle On Downgraded Legacy Encryption). This vulnerability received much press, partly due to the fact that a number of other vulnerabilities have hit the news recently (Heartbleed and Shellshock in particular).
The POODLE vulnerability deals with attacks that downgrade the level of encryption and security in an https connection between a web browser and server, forcing the communication to use the old and less secure SSLv3 protocol over newer implementations like TLS 1.0-1.2.
SSLv3 has been around for nearly 15 years, and has outlived its usefulness. However, most systems have kept it enabled so that legacy systems can still function. At one time, this was the highest protocol that web browsers supported for secure communications, but TLS has been available for many years now. IE6 is the only browser with any notable market share that requires SSLv3 in order to establish secure connections. Any recent versions of IE, Chrome, Firefox, Safari, etc. will support TLS.
So, what does this mean for us?
Upon reporting the vulnerability, it was recommended that systems be configured to not offer SSLv3 for secure connections. This includes web servers, application servers and appliances, and web browsers, among many other devices. If a user tries to connect to a secure service via SSLv3 and this support has been turned off, they will not be able to use the service any longer. The recommended approach is to ensure that recent versions of web browsers and other client software are as up to date as possible.
The greatest risk to allowing SSLv3 in communications is the possibility of a man-in-the-middle attack, where an attacker could listen in on the secure https communications and crack the encryption to expose sensitive information (passwords, banking information, etc.). By disabling SSLv3, this threat is successfully mitigated.
In fact, disabling SSLv3 has been a topic of discussion prior to this discovery, as weaknesses in the protocol have been known for some time. However, the risk associated was not deemed worth the trouble of potentially shutting out users who were using older web browsers or application clients. With the POODLE vulnerability disclosed, it was determined that the risk to information disclosure is too great, and moving forward with disabling the protocol will be necessary. With IE6 usage falling below 0.1% in most of the world, the impact should be significantly lower than in previous years.
What should I do now?
As with all vulnerabilities, it is important to determine exposure and take action to remediate the issue as quickly as possible. By keeping software and systems up to date with security patches and new software versions, we can help to curb the possibility of serious attacks and information exposure.
To find out if you are vulnerable, contact us at NetWork Center, Inc. for more information.