SSL 3.0 Vulnerability Discovered

Written on October 20, 2014

Due to the recent discovery of the SSL 3.0 vulnerability (Poodle), Warren Averett Technology Group would like to provide some information on what and who is affected by the issue, and assure you that we are working diligently to ensure this vulnerability has been removed from your networked systems and security patches are applied upon release from each vendor.

The Poodle vulnerability exploits a weakness in a certain subset of the encryption technology designed to protect online accounts for email, instant messaging, and e-commerce. Many of the websites you may visit begin with https:// and display a small padlock beside the website name, which signifies that they are using a secure form of communication for any information you may send or receive from their site. Most web services and devices use the TLS 1.2 protocol, which is a much more secure connection method, but some web servers use older versions of TLS and its predecessor, SSL 3.0. Once the connection is downgraded to SSL 3.0, the data transmitted is no longer secure.

We recommend that you disable SSL 3.0 in your browser, which will prevent a downgrade to the less secure connection. Shown below are instructions and screen shots on how to disable SSL 3.0 for the most popular browsers.

Warren Averett Technology Group is working diligently to ensure that this vulnerability has been removed from each of our client’s systems. If you are having any difficulty doing this yourself, feel free to call our Resource center at 888.419.9090 or 334.386.4800.

Thank you for your business.

Chrome: Google Chrome and Chromium-based browsers don’t list a preference that you can change to edit the minimum and maximum protocol versions that you want the browser to use. You can launch the browser with the parameter --ssl-version-min=tls1 to enforce usage of TLS1 or higher protocols only.

Chrome Screenshot

Firefox: Open the about:config page and confirm that you will be careful if this is the first time you open it. Search for security.tls.version.min, double-click it and set its value to 1. This makes TLS 1.0 the minimum required protocol version. Close and reopen the browser to apply the new setting.

Firefox Screenshot

Internet Explorer: Open the Internet Options with a click on the menu button and the selection of Internet Options from the menu. Switch to Advanced there and scroll down until you find Use SSL 2.0 and Use SSL 3.0 listed there (near the bottom). Uncheck the two SSL options, check the TLS options, and click ok to apply the change.

IE Screenshot

Safari: Apple has released Security Update 2014-005, which disables CBC-mode ciphers in coordination with SSLv3. The patch is available for Mac OS Mavericks, Mountain Lion, and Yosemite.

Back to Resources
Top