Friday, October 17, 2014

SSLv3 POODLE Vulnerability

 

October 14th, 2014, Google security researchers have disclosed a new vulnerability regarding the SSL protocol. Fortunately, this vulnerability only impacts the 1996 version of SSL, SSLv3.


What's SSL?


It is the standard security technology for an encrypted link between a web server and a web browser.

ssl.lock.PNG
Browsers display a lock icon if communication is encrypted.

What's the POODLE vulnerability?


An attacker could exploit a seemingly encrypted link between a web server and a web browser such that the attacker could read private data.  For example, when passing username and password credentials to a web server.

More information:

How can we fix this?


ITS will be disabling SSLv3. Be aware that web servers that the College does not own (e.g., example.com, yahoo.com, etc.), might be vulnerable.

What uses SSLv3?


Microsoft Internet Explorer 6.0, which is an unsupported version of Internet Explorer.