department menu

The POODLE Vulnerability: Exploiting SSLv3.0

By Jeroen Barendse

UPDATE: As of November 2014 Google, Firefox, Microsoft, and Apple have patched all browsers to close the POODLE Vulnerability.

Explaining the Vulnerability:

On Tuesday October 15, 2014 Google announced a vulnerability in the implementation of the SSLv3.0 protocol.  SSL, or Secure Socket Layer, is a cryptographic protocol designed to provide communication security over the Internet.  SSLv3.0 is an 18 year old version of SSL, but nearly all browsers still support it.

How it works:

Because web servers could be running one of a variety of different versions of SSL (or none at all) when a browser fails to connect to a website they will retry those failed connections with older protocol versions, including SSLv3.0.  Network attackers can cause these connection failures on purpose to trigger your browser to use SSLv3.0.  After they trigger the use of SSLv3.0 they can then exploit what is being called the POODLE Security Vulnerability.  This would allow a network attacker access to important private information, like a session token or cookies, that would then allow them to hijack the identity of another user.

What are we doing about this?

Internet Explorer –

IITS will roll out an update for Internet Explorer that will disable SSLv3.0 and below.  (To update your personal (home) computer, see "How to Protect Yourself".)

Firefox –

If you prefer using Firefox as to browse the web, Mozilla has updated their browser to disable SSLv3.0.  The current version that includes the update to patch the POODLE vulnerability is 33.0 and above.  To check what version of Firefox you currently have and update it:

  • Click the menu button New Fx Menu , click help Help-29 and select About Firefox. The About Firefox window will appear. The version number is listed underneath the Firefox name.
  • Opening the About Firefox window will, by default, start an update check to see if an updated version of Firefox is available.

Google Chrome –

Windows

You can use this fix for a shortcut or the pin'd application on the taskbar.

  1. Right click the Google Chrome shortcut on the desktop.

Windows Drop Menu

  • If you are changing the shortcut pinned to the Taskbar, you must then right click the "Google Chrome" item.

Windows Taskbar Menu

  1. Click Properties from the drop-down menu.
  2. You will see the properties menu for the shortcut to Google Chrome.

Windows Properties

  1. Click inside the "Target" box and scroll all the way to the right (past the quote (")).
  2. Enter --ssl-version-min=tls1.

Windows Properties

  1. Click "OK" on the properties menu.
  2. When asked for administrator permissions, click "Continue".

Windows Permission Window

  1. Restart Chrome.

Alternatively, you can edit the http/shell/open/command registy value in HKEY_CLASSES_ROOT to specify --ssl-version-min=tls1at the end, similar to the following example:"C:\Program Files\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 -- "%1". This will protect you even if you open Chrome by clicking a link in an email or other document. Thanks to Dr. Thomas Kunst.

Mac OS X

 
Be Advised! This only protects you if you open Google Chrome from the Application that you create in Automator.
  1. Open Automator from Applications.

OSX Automator

  1. Double-click "Workflow".
  2. Under Library, click Utilities.

OSX Utility window

  1. Double-clide "Run Shell Script".

OSX Shell Window

  1. Replace cat with open -a "Google Chrome.app" --args --ssl-version-min=tls1.

OSX Shell window

  1. In the toolbar at the top of the screen, click "File" and then "Save".
  2. In the "Save As" box, type Chrome-POODLE-Proof.app.
  3. In the "File Format" drop-down box, select "Application".

OSX Workflow window

  1. Click "Save".

Depending on how you open Google Chrome, you may have to open it in a different way. If you open it through Spotlight, just type Chrome-POODLE-Proof instead of Google Chrome If you open it by clicking on it in the Dock, open Finder, and click Applications. Drag-and-drop the Chrome-POODLE-Proof.app to the Dock. When you want to open Chrome, click the icon that looks like a robot holding a pipe instead of the normal Google Chrome icon.

In Linux

Thanks to gertvdijk on AskUbuntu.

  1. Open /usr/share/applications/google-chrome.desktop in a text editor
  2. For any line that begins with "Exec", add the argument--ssl-version-min=tls1
    • For instance the line Exec=/usr/bin/google-chrome-stable %U should become Exec=/usr/bin/google-chrome-stable --ssl-version-min=tls1
  3. Reboot

Safari - 

Currently there is no known way to disable SSLv3.0 is Safari.  We will continue to monitor this situation and release updates accordingly.

How to protect yourself at home:

Disabling SSL 3.0 is sufficient to mitigate this issue.  For instructions on how to disable SSLv3.0 in your browsers at home click Disabling SSLv3.0 and follow the instructions on the page.

To check if your browser disabled SSLv3.0:

Go to http://www.poodle.io.  The site will check to see if you have disabled SSL and return the results just below the webpage title.  All instructions taken from poodle.io