How to Check for SSL POODLE SSLv3 Bug
There is now word of a new security hole discovered in a basic protocol used for encrypting web traffic. Its name is POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, and it was discovered by three Google security researchers—Bodo Moller, Thai Duong, and Krzysztof Kotowicz – they published a paper (.pdf). POODLE instead targets the clients allowing a man-in-the-middle attack to decrypt “secure” HTTP cookies and is estimated that SSLv3 accounts for between 1% and 3% of all Internet traffic. Heartbleed and Shellshock were vulnerabilities that allowed an attacker to hack a server. This makes the third major vulnerability released on the Internet this year and is another warning that this level of vulnerability discovery may be the new shape of things to come.
POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. POODLE is a death blow to this version of the protocol; it can only reasonably be fixed by disabling SSL v3.0 altogether. It’s not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.
A test for your browser is available at this link
To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you—for example, on the same Starbucks Wi-Fi network you’re using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet.
How to test for SSL POODLE vulnerability?
$ openssl s_client -connect google.com:443 -ssl3
If there is a handshake failure then the server is not supporting SSLv3 and it is secure from this vulnerability. Otherwise it is required to disable SSLv3 support.
How to disable the SSLv3 support on Nginx?
In nginx configuration, just after the “ssl on;” line, add the following to allow only TLS protocols:
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
How to disable the SSLv3 on Apache?
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
Here are some additional articles:
