[SingCERT] SSLv3 "POODLE" Vulnerability

Published on Thursday, 16 October 2014 09:52

[ Summary ]

The Secure Sockets Layer version 3.0 is an old version of security technology for establishing an encrypted link between a server and a client.

Yesterday, a vulnerability, known as POODLE ("Padding Oracle On Downgraded Legacy Encryption"), was reported in this SSLv3. An attacker can exploit this vulnerability to obtain users’ cookies and compromise users’ accounts.

This vulnerability has been assigned a CVE number: CVE-2014-3566.

[ Solution/Workaround ]

For General Internet Users:

  • In the next few months, Google and Mozilla will be disabling or removing SSLv3 support from their browsers. Google Chrome and Mozilla Firefox users are advised to update their browsers to the latest version to avoid being exploited.
  • Users of Internet Explorer 7 and above should exercise the option to disable SSLv3 from their browsers immediately.
  • Users of Internet Explorer 6 should consider using an alternative browser or upgrading to Internet Explorer to 7 where SSLv3 can be  disabled to avoid the vulnerability.

For web system owners:

  • Web system owners should check if their website is using ONLY SSLv3 to secure their connections. If so, they should consider upgrading to TLS where possible.
  • Web system owners are also advised to disable SSLv3 and enable TLS_FALLBACK_SCSV to maintain interoperability.

[ References ]