Security Update:Significant Vulnerability SSL 3.0 Affecting All Users (Referred to as the Poodle Attack)
Date and Time
The United States Computer Emergency Readiness Team (US-CERT) reported a design flaw in encryption method known as Secure Socket Layer (SSL) 3.0. The vulnerability could allow an attacker to decrypt and extract information from inside an encrypted transaction. This is attack is known as the Poodle Attack.
While SSL 3.0 is an old encryption model and has been replaced with a more secure encryption method, most major browsers (e.g. Google Chrome, Internet Explorer) remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0.
Advanced Users: For a complete description of the vulnerabilities, affected software and updates refer to US-CERT’s Alert (TA14-290A) - SSL 3.0 Protocol Vulnerability and POODLE Attack at https://www.us-cert.gov/ncas/alerts/TA14-290A.
- Any system or application that supports SSL 3.0 with CBC mode ciphers
- Most major browsers (e.g. Internet Explorer, Firefox, Chrome)
- To check if your browser is vulnerable, run a test at poodletest.com
- To check if a website is vulnerable, run a test at https://sslanalyzer.comodoca.com/
WHAT'S THE PROBLEM?
There's a fair chance that the POODLE flaw impacts you. Odds are good that your browser doesn’t rely on SSLv3 by default, but because of the ability to fall back to the legacy protocol when necessary, a site or server that is only configured to connect using SSLv3 will force most browsers to cater to that request.
HOW DO I PROTECT MY COMPUTER?
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.
- Most major browser vendors are working on disabling SSL 3.0 but it may take time for them to distribute the ‘fix.’
- If you are supported by ITFS or have different IT support, no action on your part is required.
- If you do not have IT support or they do not support your computer, refer to your software vendor for updates or the Vulnerability Summary for CVE-2014-3566 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566.
- Vulnerability Summary for CVE-2014-3566 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
- IT Security - http://it.ucsf.edu/security