Blogs

    Publish
     
      • The SSL 3.0 Vulnerability – POODLE Bug (AKA POODLEbleed)

        Oct 20 2017, 8:27 PM

        by Brook Chelmo 4

        SSLv3_poodle-300px.png

        A bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. Three Google security researchers discovered the flaw and detailed how it could be exploited through what they called a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566).

        (Updated Dec. 9, 2014) Recently, a new variant of the POODLE vulnerability (CVE-2014-8730) was found to affect even versions of TLS, the successor to the SSL protocol.  This new vulnerability works against sites that use load balancers that have incorrectly implemented encryption padding checks, and may affect around 10% of servers.  Certain models of F5 and A10 load balancers are susceptible, and as part of best practices we recommend that users apply vendor-supplied patches as they become available.

        It is important to note that this is NOT a flaw in SSL certificates, their private keys, or their design but in the old SSLv3 protocol.  SSL Certificates are not affected and customers with certificates on servers supporting SSL 3.0 do not need to replace them.

        It’s believed to not be as serious as the Heartbleed bug in OpenSSL, since the attacker needs to have a privileged position in the network to exploit the latest.  The usage of Hotspots, public Wi-Fi, makes this attack a real problem. This type of attack falls into the “Man-in-the-middle” category. 

        Background

        While SSL 3.0 was introduced in 1996, it is currently supported by nearly 95% of Web browsers according to Netcraft’s latest report.  Many Transport Layer Socket (TLS) clients downgrade their cryptography protocol to SSL 3.0 when working with legacy servers. According to Google, an attacker that controls the network between the computer and server could interfere with the handshake process used to verify which cryptography protocol the server can accept using a “protocol downgrade dance”. This will force computers to use the older SSL 3.0 protocol to protect data that is being sent. Attackers can then exploit the bug by carrying out a man-in-the-middle (MITM) attack to decrypt secure HTTP cookies, which could let them steal information or take control of the victim’s online accounts.  Although, at the time to writing, webmasters have been disabling SSL 3.0 and moving to TLSv1 and above at a rapid pace, there still remains a lot of work to be done.  If Heartbleed taught us anything, it’s that the largest companies act fast while many small companies drag their heels in patching critical vulnerabilities. 

        What Businesses Need to Do

        In order to mitigate the bug there are a few courses of action:

        1. Check to see if your webservers are vulnerable using our free SSL Toolbox.
        2. Disable SSL 3.0 altogether, or disable SSL 3.0 CBC-mode ciphers
        3. A cloud-based Web Application Firewall can help protect against this kind of vulnerability.  For more information please visit our website.
        4. Be leery of any spam messages from scammers trying to capitalize on uncertainty and a lack of technical knowledge.
        5. If applicable, implement F5’s patch.  For information on A10 Networks, please click here for their patch.

        My fellow colleague Christoffer Olausson gives a few tips on how to fix this on Apache:

        > SSLProtocol All -SSLv2 -SSLv3                   <- Removes SSLv2 and SSLv3

        > apachectl configtest                                   <- Test your configuration

        > sudo service apache restart                      <- Restart server

        At the time of writing Google and Mozilla have either removed SSL 3.0 support from their browsers or are in the process of doing so.

        What End-Users Need to Do

        For end-users accessing websites Symantec recommends:

        1. Check to see if SSL 3.0 is disabled on your browser (for example, in Internet Explorer it is under Internet Options, Advanced Settings).
        2. Avoid MITM attacks by making sure “HTTPS” is always on the websites you visit.
        3. Monitor any notices from the vendors you use regarding recommendations to update software or passwords.
        4. Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.

        More Information

        Symantec has published knowledge base articles on the subject for your reference.  See below:

        Symantec Managed PKI for SSL Users

        https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&id=AR2182

        Symantec Trust Center/Trust Center Enterprise Users

        https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR2183

        Stay Connected

        Stay connected with us for more updates on this vulnerability and others.  Follow us on Twitter, Facebook, or visit our technical forums for issues with managing SSL and code-signing certificates.

        • POODLEbleed
        • SSLv3
        • Poodle bug
        • Products
        • bug
        • website security solutions
        • SSL
        • POODLE Attack
        • SSL 3.0
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • vulnerability
        • Products and Solutions
        • POODLE
      • Avoid SSL Certificate and Clients May Avoid You

        Oct 14 2014, 8:12 AM

        by The SSL Store™ 0

        Google recently announced the https certificate update to its search algorithm, it will directly impact on your website ranking, if your website carry the SSL Certificate then you will get the “Google Ranking” boost up. But think why Google is giving the more important to websites which has an SSL Certificate let me explain you.

        https_0.PNG

        An SSL Certificate is create a secure layer between your web browser and visitors’ web browsers, and making important data like banking & personal details in encrypted format. As phishing attacks are increasing nowadays, online security is major concern for the world. Google believes that by penalized the websites which don’t have an SSL Certificate, owners of the websites create the benchmark that show users are more likely to visit a websites which are secure with “https” and by this way people become more aware about online web security and the companies are pushing their website with https certificate.

        Any authentic website without an SSL Certificate will see the impact of Google’s update immediately, as they decrease the organic traffic for their website and ranking. This could be disastrous for the online firms who do not upgrade their servers and website with SSL Certificate.

        The decrease is to effectively bury potential ‘scam’ websites at the bottom of search results, as Google believe those without SSL certificates are likely to be run by people looking to mine personal data for spam or fraudulent purposes.

        As we’ve already explained, a low ranking on Google could sound a death knell for online business, which are looking to attract new customers who search for online services or products. If you’re unsure if you have an SSL certificate or not, go to your webpage and look at the address bar.

        Padlock.PNG

        If your web address starts with ‘https’ and you can see a padlock symbol in the address bar, like the one above image, then you have an SSL certificate. If you do not see either of these then speak to your web hosts ASAP about upgrading your server as soon as they can.

        If you are new and don’t know anything about SSL Certificates, you no need to worry about it. You can easily buy an SSL Certificate by selecting 3 options through “SSL Wizard”.

        • Products
        • DigiCert Code Signing
        • SSL certifcates SSL Certificate Authority
        • Voice of the Customer
        • Security Community Blog
        • Symantec Website Security