Google Finds Man-In-The-Middle Flaw in SSLv3, Introducing the POODLE Vulnerability

Google Security has found a new serious man-in-the-middle vulnerability against the venerable SSLv3 cipher suites. While SSLv3 is getting quite old, it is still used by a number of sites that aim at support old and antiquated browsers. SSL 3.0 is the final predecessor to TLS which replaced it.

The POODLE attack, which is a successful man-in-the-middle attack for people with a privileged position on the network, can decrypt an entire session that is supposed to be private.

This problem spans a lot of products, because SSL 3.0 is supported by many websites and services in order to keep older browsers and software working. It is enabled on a large number of operating systems, browsers, and some security products.

Google, Microsoft, Mozilla, and Apple have collectively decided that the best countermeasure for this serious vulnerability is to simply disable SSL 3.0 and stop using it, as the stack is too old to be worth devoting the resources the fix. TLS 1.0 replaced SSL 3.0 in 1999. TLS 1.2, the current standard for SSL encryption, was adopted in 2008, and TLS 1.3 is currently being developed as a new standard.

Many people in the industry have been calling for the end of SSL 3.0 and TLS 1.0 support for a long time. This is finally a death sentence for SSL 3.0.

Here is a list of websites that are currently vulnerable to POODLE as they support SSL 3.0:
https://poodle.io/

How to disable SSL 3.0 in various browsers and operating systems:


Windows: https://technet.microsoft.com/en-us/library/security/3009008.aspx

Firefox: (Step 4) https://vikingvpn.com/blogs/security/secure-browsing-with-firefox

Chrome for Windows: (Post by "the core") https://productforums.google.com/forum/#!topic/chrome/dpiPu9B1cBI

Chrome for other operating systems and Internet Explorer: https://zmap.io/sslv3/browsers.html


< last
next >