[UCI-Linux] Fwd: SSLv3 vulnerability
Mike Iglesias
iglesias at uci.edu
Wed Oct 15 09:12:17 PDT 2014
For those of you not on the network-security-alerts mailing list...
-------- Original Message --------
Subject: SSLv3 vulnerability
Date: Wed, 15 Oct 2014 09:10:57 -0700
From: Mike Iglesias <iglesias at uci.edu>
To: network-security-alerts at uci.edu
A vulnerability (called "POODLE") has been found in SSLv3, which is used by
web servers and browsers to secure traffic between them. The vulnerability
could allow traffic to be decrypted, exposing cookies, passwords, and other
private data. Currently, SSLv3 is used by less than 1% of web traffic so it's
not widely used any more.
While this vulnerability is not as critical as the recent Heartbleed or
Shellshock vulnerabilities, we recommend that you turn off SSLv3 support in
your web servers. Firefox v34, which will be released in late November, will
have SSLv3 support disabled. Google will be disabling SSLv3 in Chrome soon as
well. Anyone using Windows XP and IE6 will not be able to access your web
site if you turn off SSLv3 unless they enable TLS v1.0 in IE. Windows XP is
no longer supported by Microsoft and anyone still using it should upgrade to
Windows Vista/7/8 and a more modern version of IE.
To turn off SSLv3 in Apache, look for the line in the configuration that has
"SSLProtocol" in it and make it look like this:
SSLProtocol all -SSLv2 -SSLv3
For IIS, follow the directions here:
https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
For more information on the SSLv3 issue, see
http://googleonlinesecurity.blogspot.ca/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Mozilla has some recommendations for web server configuration here:
https://wiki.mozilla.org/Security/Server_Side_TLS
--
Mike Iglesias Email: iglesias at uci.edu
University of California, Irvine phone: 949-824-6926
Office of Information Technology FAX: 949-824-2270
More information about the UCI-Linux
mailing list