It seems that SSL just cannot stay out of the news. Another vulnerability, this time in SSL 3.0, has been disclosed at the Google Online Security Blog. While SSL 3.0 has already been around for almost 15 years, it’s still being used throughout the Web, and nearly every browser supports it.
The key point though, is that even though newer and more secure versions of SSL are out and are being used, browsers work with older protocols when connections fail. This means an attacker can cause connection problems with the intent of triggering a deprecated version of SSL, leading to the exploitation of the service, and allowing for once-encrypted information to be seen in plain-text. The newly disclosed vulnerability in SSL 3.0 does exactly this dubbed POODLE as an acronym for Padding Oracle On Downgraded Legacy Encryption.
If you’re in the less than one percent of users relying on outdated browsers, simply download a newer client such as Mozilla Firefox. These leverage a more secure protocol than SSL known as TLS and have the added benefit of updating automatically which can help you remain secure in the future!
If you are using the latest version of Firefox, they will be disabling SSL v3 in their November 25th Firefox update by default, but you don’t have to wait for that update. Mozilla has created a plugin that will allow you to set the minimum SSL version that Firefox will accept, to turn off SSLv3 support in Internet Explorer 11: Setting -> Internet Options -> Advanced Tab -> Uncheck “SSLv3″ under “Security”.
We have started disabling SSLv3 across all our offerings, thus protecting all our services against this vulnerability. In case you have questions or concerns feel free to reach out to our support team anytime.
Also note that, in firefox and chrome – the users will have to do the below to disable SSLv3 (this is to ensure an attacker doesn’t use browser sessions to attack others)
Chrome users that just want to get rid of SSLv3 can use the command line flag –ssl-version-min=tls1 to do so. (We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)
In Firefox you can go into about:config and set security.tls.version.min to 1. I expect that other browser vendors will publish similar instructions over the coming days.