SSL v3.0 POODLE Vulnerability

The Interwebs world has been rocked again with yet another server vulnerability.  This one is called POODLE and is anything but cute and cuddly.

What’s the issue?

Poodle is actually an acronym for Padding Oracle On Downgraded Legacy Encryption. 

There’s a problem with v3.0 of the SSL (Secure Sockets Layer) protocol that most Linux-based servers still run today.

It allows for the plaintext (decrypted) credentials to be read allowing for the possibility of somebody to snoop into your “secure” transmissions.

SSL v3.0

The v3.0 SSL service protocol is pretty old – in fact 15 years old to be precise but many web servers still have it switched on.

Newer protocols are used today, TLS 1.0, 1.1, or 1.2 but when these fail the server will automatically try a fallback connection via SSL v3.0 and that’s the issue here.

Does this affect SSL Certificates?

No it does not.  All your SSL certificates are still good and don’t need to be reissued.

How do know if your server is affected by this issue?

The Poodlebleed website has a small testing script that you can use to see if your server is affected.

Fixing the issue on the server

There are quite a few services on a server which may use the SSL v3.0 protocol including web servers (Apache, Nginx, Lighttpd) and email services such as Sendmail and Dovecot.

Here’s a great resource on how to test and fix each of these services.

 

 

Keep In Touch

Wil

Wil is a dad, consultant, developer, conference organiser, speaker and business mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.