SSLv3 Man in the Middle (POODLE)

What Is It?

Padding Oracle On Downgraded Legacy Encryption (POODLE) – a security vulnerability that forces the downgrade of negotiated session protocol to SSLv3, a legacy protocol used to establish secure web communication (HTTPS). The vulnerabilities are limited in scope and several client and servers restrict the use of SSLv3 which is a 15-year-old protocol. If a server is vulnerable, a man-in-the-middle attack can be executed to compromise the encrypted session.

How Does It Work?

This is a man-in-the-middle attack that forces browsers and sites to downgrade the security protocol to SSLv3 from TLS. This is done by interrupting the handshake between the client and server. This forces the retry of the handshake to earlier protocol versions. It is important to understand that in order to successfully exploit the POODLE vulnerability, the exploiting user must either be on the same network of the client or server or be able to successfully execute malicious JavaScript.

DataYard’s Actions?

DataYard has already disabled SSLv2 and SSLv3 on all of our shared infrastructure and internet facing servers. We are in the process of contacting managed customers to disable earlier protocol versions. Currently, the only workaround is to stop using SSLv3. The only downside to disabling SSLv3 is that legacy operating systems with legacy browsers that do not support TLS (Windows XP / IE 6 and earlier) will not be able to access sites and services with SSLv3 disabled.