The Google Security team has found yet another vulnerability on most web servers using SSL. October 17th, 2014 the United States Computer Emergency Readiness Team released a statement about the security vulnerability. You can visit https://www.us-cert.gov/ncas/alerts/TA14-290A for the actual details about the vulnerability named “POODLE”.
An attacker relies on the fact that servers fallback to older SSL versions when a client does not support newer SSL protocols. This allows attackers to poke at the known exploits of older SSL versions (v2 & v3). If your server does not support SSL then there may be nothing to worry about but it would be a good idea to check.
How to check if you’re vulnerable.
You can perform a simple check to see if your site is vulnerable by running the following commands in terminal or using SSH on a server in question.
openssl s_client -connect yourdomain.com:443 -ssl2
openssl s_client -connect yourdomain.com:443 -ssl3
If your server is vulnerable, you will see a handshake successful. If you server is ok for the time being, you will see a handshake failed message. There currently is no patch for SSLv3 and I do not see one coming out as v3 and v2 are old protocols.
How to protect yourself:
Since there is no patch in place there is a few things your can do.
- First update OpenSSL to the latest version. The latest version of OpenSSL allows for newer protocols to be a used. Most modern browsers support the new SSL protocols but the latest OpenSSL provides some backwards compatibility.
- Disable SSLv2 and SSLv3 altogether. There is no known patch (at the time of writing this) for v3. You will have to refer to your systems documentation for guides on how to disable these protocols.
- Restart your server and re-check using the code above.
Other tools for checking your OpenSSL status:
- DNSstuff SSL Examination Tool: http://www.dnsstuff.com/tools SSL