Created by James Welcher, last modified by Jay Krous on Oct 17, 2018
Poodle Resources
Vulnerability Description and Assessment:
The “Poodle” vulnerability is a protocol weakness in SSL 3.0. An attacker sitting between a client browser and a webserver could issue a man-in-the-middle attack and decrypt the encrypted SSL traffic. SSL 3.0 is a very old version of the SSL protocol, and accounts for less than one-half of one percent of HTTPS traffic. Modern browsers use a variant of TLS for establishing encrypted HTTPS connections.
The problem is that most browsers still support SSL 3.0 if they can’t establish a more modern TLS connection, and the attack works by tricking the browser into using the older protocol.
Mitigations
The real fix is for browsers to drop support for SSL 3.0. For example, in November, the next release of Firefox will no longer support SSL 3.0 by default. Other browsers are following suit.
Our recommendation is to enable auto-updates of your web browser and upgrade when the next release becomes available.
Mac users who are running auto updates should have applied Apple’s Security Update 2014-005 on 10/16/2014, which disables CBC-mode ciphers in coordination with SSLv3. So Mountain Lion, Mavericks, and Yosemite users should be patched.
Meanwhile, users with laptops that travel offsite, or who otherwise want to take proactive steps to disable SSL 3.0, can follow the “Disabling SSL 3.0 in various browsers” link below.
We will be working with Lab webservers to disable SSL 3.0 going forward, as well as monitor for outbound SSL 3.0 connections.
Resources:
- http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
- https://www.imperialviolet.org/2014/10/14/poodle.html
- http://notary.icsi.berkeley.edu/2014/10/16/sslv3-poodle-attack/
- Browser Check for Poodle Vulnerability: https://poodletest.com/
- Apple’s Update: https://support.apple.com/kb/HT6531
- https://isc.sans.edu/diary/POODLE%3A+Turning+off+SSLv3+for+various+servers+and+client.++/18837