Lately, we have seen some really bad vulnerabilities in regards to SSL (Heartbleed) and Bash (later dubbed “Shellshock”), along with some slightly “lighter” linux/open source ones.
In September of this year, Google first discovered a fallback attack for SSL v3.0, and they wrote published a paper on it: https://www.openssl.org/~bodo/ssl-poodle.pdf.
Today, it was officially confirmed that SSL version 3.0 is no longer secure, and thus, it is no longer recommended in client software (ex: web browsers, mail clients, etc…) or server software (ex: apache, postfix, etc…).
This was dubbed the “POODLE” vulnerability, and given CVE-2014-3566
A “POODLE attack” can be used against any website or browser that still supports SSLv3.
Browsers and websites need to turn off SSLv3 as soon as possible in order to avoid compromising sensitive/private information. Even though a really small percent of servers/browsers are vulnerable (mozilla estimates 0.3% of the internet), that is quite large in the total number of users.
How can I check if my browser is Vulnerable?
The guys at dshield setup this nice browser check: https://sslv3.dshield.org:444/index.html
If you get something like Error code: ssl_error_cipher_disallowed_for_version in FireFox, it’s actually a good thing. It means that you are secure.
Here is an even better check (which Curtis Wilcox pointed me at): https://www.poodletest.com/
Chris La Nauze mentioned another website which seems great (if not even better than dshield’s):
Until an official patch comes out (this is a design bug, not a software bug – it will most likely be just end-of-lifed), you can turn off SSLv3 support for these major products:
In firefox, go to “about:config“, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.
Patching in Internet Explorer (IE):
Edit your ssl.conf (or equivalent virtual config) and add: SSLProtocol All -SSLv2 -SSLv3
Then restart apache: sudo service apache2 restart
Edit your config and add: ssl_protocols: TLSv1 TLSv1.1 TLSv1.2;
Then restart nginx: sudo service nginx restart
Edit your main.cf config and change: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Then restart postfix: sudo service postfix restart
Open regedit and go to:
Under Protocols you will probably have a folder called “SSL 2.0“. Please create a “SSL 3.0” folder if you don’t have one already. Under the SSL 3.0 folder, please create a DWORD value called “Enabled” with value “0“. At this point, you have to reboot the server.
Another way to solve this problem, per Google is to “use SSL implementations that take advantage of the TLS_FALLBACK_SCSV feature. This feature notifies the other side that you first tried the stronger cipher. This way, they can reject the downgrade attempt that may have been introduced by a MitM attack.”.