SSL 3.0 Flaw Confirmed, Turn it Off

The technology is about 10 years old and should have been deprecated long ago, but such is life on the aging Internet. I made mention yesterday that information was coming about this bug so it shouldn't be surprising that the tubes are alive and crackling this morning about the SSL 3.0 bug.

Exposed by three Google security engineers, SSL 3.0 (the old, but still supported web encryption standard) has a serious flaw in which an attacker could downgrade and an encrypted TLS session, force clients to use the older SSL 3.0 encryption, and cause the Internet browser to run malicious code that the decrypts traffic. The flaw, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), wouldn't be a big issue, but as we've seen even recently in other SSL bugs, lingering technology still utilizes older transmissions techniques to ensure compatibility.

The best case is to just turn it off. It's easy to do in most modern Internet browsers by deselecting the option. But, the bigger problem is web servers that have apps and services built around SSL 3.0 – and there are many.

You would think that SSL 3.0 would have already been removed as a supported option in most modern Internet browsers, but Chrome isn't expected to remove support for a few months and Firefox will see a revamped version without SSL 3.0 support in November. Microsoft has not stated if the SSL 3.0 option will be removed in Internet Explorer, though the company has provided guidance in how to turn it off.

This specific flaw is not as serious as, say, Heartbleed or Shellshock, but it does have a potential impact that could take a few days to fix. There's a site called Poodlescan.com where you can enter a domain and port number (if the port isn't the default 443) and it will check the web server to see if it's vulnerable.

Troy Hunt has posted up an "Everything you need to know…" article on the POODLE bug and does a wonderful job explaining the situation. Read that here:

Everything you need to know about the POODLE SSL bug