Blog Header Banner

Archive for the ‘ssl v3’ tag

The SSL POODLE that Bites – SSL 3.0 Issues for web sites   no comments

Posted at Feb 22, 2015 @ 11:20am internet security,Web hosting

PadlockWhen I say POODLE, what do you think of? Is it a fluffy dog? In most cases, I would be referring to the fluffy dog, but for this article, we will be focusing on a security vulnerability. I’m not sure if you’re aware, but if you’re currently using SSL version 3.0, you will need to perform some updates to your SSL daemon on your server. SSL stands for Secure Sockets layer. A SSL is what every ecommerce site should have. It allows for you to securely process payments through your website. In fact, if you’re taking orders from your clients, you should be using a SSL. SSL’s add another layer of security and trust for your clients. If you’ve not read my post on PCI compliance and you’re running an ecommerce site, you should read my post on PCI compliance here: (Insert link to PCI compliance post)

 

With SSL’s as with any piece of software on the internet, there are different versions. SSL version 3.0 is nearly 18 years, however, SSL version 3.0 is no longer secure and remains in widespread use across the internet. Nearly all browsers support SSL version 3, and in order to work around bugs, within HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. This retrying of failed connections within SSL v3, allows the POODLE exploit to be initiated. This POODLE exploit works due to the nature of the failed connections and allows for a possible leak of your customers data when processing orders. You can read more about the specifics of the attack here:

 

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

 

Browsers and websites should turn off SSLv3 in order avoid compromising users’ private data.  The most straight forward method is to disable SSL 3.0 entirely, which you can see how to do at the links below, however, this can cause a myriad of computability issues. Therefore, the recommend plan of option is to enable TLS_FALLBACK_SCSV. Using the links below, they will show you how to properly secure your servers SSL daemon. These options resolve the issue of retrying failed SSL connections. It also prevents hackers with knowhow from downgrading from TLS 1.2 to 1.1 or 1.0.

 

 

For WHM/cPanel servers –  https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

 

For DirectAdmin servers – http://forum.directadmin.com/showthread.php?t=50105

 

For Plesk servers – http://kb.sp.parallels.com/en/123160

 

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by Jeremy on February 22nd, 2015

Tagged with , , , , , , ,