SSL 3.0 vulnerability discovered. Find out how to protect yourself

TechExpert

A security vulnerability in SSL 3.0 has been uncovered by Bodo Möller and two other Google employees that attackers can exploit to calculate the plaintext of secure connections.

SSL 3.0 is an old protocol and most Internet servers use the newer TLS 1.0, TLS 1.1 or TLS 1.2 protocols instead. Client and server usually agree to use the latest protocol version during connections during protocol handshake but since TLS is backwards compatible with SSL 3.0, it can happen that SSL 3.0 is being used instead.

During the first handshake attempt the highest supported protocol version is offered but if this handshake fails, earlier protocol versions are offered instead.

An attacker controlling the network between the client and server could interfere with the handshake attempt so that SSL 3.0 is used instead of TLS.

Details about the attack are available in the security advisory "This POODLE Bites: Exploiting The SSL 3.0 Fallback" which you can download with a click on this link.

Protection against the attack

Since SSL 3.0 is being used by the attacker, disabling SSL 3.0 will block the attack completely. There is one problem however: if the server or client support only SSL 3.0 and not TLS, then it is no longer possible to establish a connection.

You can run SSL Tests on domain names to find out which versions of SSL and TLS they support.

ssl-test

To protect your web browser do the following:

Chrome: Google Chrome and Chromium-based browsers don't list a preference that you can change to edit the minimum and maximum protocol versions that you want the browser to use.  You can launch the browser with the parameter --ssl-version-min=tls1 to enforce usage of TLS1 or higher protocols only.

chrome-ssl3.0

Firefox: Open the about:config page and confirm that you will be careful if this is the first time you open it. Search for security.tls.version.min, double-click it and set its value to 1. This makes TLS 1.0 the minimum required protocol version.

firefox security ssl 30

Internet Explorer: Open the Internet Options with a click on the menu button and the selection of Internet Options from the menu. Switch to Advanced there and scroll down until you find Use SSL 2.0 and Use SSL 3.0 listed there (near the bottom). Uncheck the two options and click ok to apply the change.

internet explorer ssl3.0

Mozilla will remove SSL 3.0 in Firefox 34, the next stable version of the web browser that will be released in six weeks. Google plans to remove SSL 3.0 support in Chrome as well in the next months.