A couple of days ago a new vulnerability was uncovered called “POODLE”. This vulnerability potentially places all web servers at risk that allow lower forms of encryption (SSL version 3). If exploited, data that should be secure could be compromised. There are a couple of things that need to be done to ensure you and your organization are protected.
- If you have a server that is hosting a website of any kind, it should be secured by disabling SSLv3. This includes but is not limited to Microsoft Exchange – Web servers – Small business servers.
- Your computers/devices are also at risk if you connect to a website that has not disabled SSLv3. It is strongly encouraged that you configure your web browser not to allow SSLv3. Please see information below on how to do that.
Windows XP Machines
It is important to note that Microsoft Windows XP machines running Internet Explorer 6 are unable to support any encryption level higher/newer than SSLv3. This means that as webservers with secure sites are secured across the world, Windows XP/Internet Explorer 6 will not be able to communicate with them.
For Microsoft Windows XP machines running Internet Explorer 8 (the latest version available for Windows XP), you may need to enable the TLS 1.0 option. See the instructions below for how to access those settings make sure that TLS 1.0 is enabled (even if you don’t disable SSLv3).
General Instructions for Changing Browser Settings
In order the change the settings on your web browsers, please see below. (These are general instructions. Your browser may vary depending on version.)
Microsoft Internet Explorer
Click the Tools icon in the top right corner (the icon looks like a gear). Scroll down and click Internet Options. In the resulting pop-up window, select the Advanced tab, then scroll through the list of settings until you reach the Security category. Uncheck Use SSL 3.0, click Apply, and then click OK.
Mozilla Firefox
Type about:config into the address bar and hit Enter or Return. Click “I’ll be careful, I promise!” in the resulting warning window. Scroll down the list of preferences and double-click “security.tls.version.min”. Change the integer from 0 to 1 and click OK.
Google Chrome
For Google Chrome, you’ll have to temporarily become a power user and use a command line. The instructions are a bit different for Windows, Mac and Linux.
In Windows, first close any running version of Chrome. Find the desktop shortcut you normally click to launch Chrome and right-click it. Scroll down to and click Properties. Click the Shortcut tab. In the Target field, which should end with “/chrome.exe”, add a space, then add this: “–ssl-version-min=tls1” (without quotation marks). Click Apply and then OK.
In Mac OS X, first quit Chrome. Open the Terminal command-line application in the Utilities folder (reachable by typing Command+Shift+U). In Terminal, type “/Applications/Google Chrome.app/Contents/MacOS/Google Chrome –ssl-version-min=tls1” (without quotation marks).
In Linux, quit Chrome. Open up a console window and type “google-chrome –ssl-version-min=tls1” (without quotation marks).
Relaunch all those browsers (and in the case of Internet Explorer, reboot the PC ), and you should be good to go.
Here is more information if you would like to learn more:
- https://www.us-cert.gov/ncas/alerts/TA14-290A
- http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Again, if you have any issues please contact us at 503-222-3086.