Another week, another serious vulnerability discovered. This time Google has discovered an exploit in SSL 3.0 protocol, named POODLE (Padding Oracle On Downgraded Legacy Encryption), that allows an attacker to calculate the plain text of secure connections. Apparently the bug has been present since 1996, when SSL was originally released by Netscape. Although SSL was replaced by TLS and other newer protocols, all modern browsers still support SSL. The problem is that SSL 3.0 is used as a fallback mechanism when newer protocols can’t work on certain HTTPS sites. This is where an attacker can take advantage of the bug.
Google is about to release an updated Google Chrome version with the SSL 3.0 fallback disabled. As a result, some websites still using this protocol will no longer work and will have to be updated. In the coming months, Chrome will discard SSL 3.0 support completely.
How to protect your internet browser
First, check if your browser supports SSL 3.0.
If you are using Google Chrome, it’s best to wait for an update. The update should not take long to be released.
If you use Mozilla Firefox, you can disable SSL 3.0 yourself:
- Open Mozilla Firefox
- Type “about:config” in the address bar
- Accept the warning (usually it’s a button named “I’ll be careful, I promise!“)
- Search for “security.tls.version.min” and double-click on it
- Enter “1” as a value, click OK
- Restart your browser
- Download Harden SSL/TLS tool
- Extract the downloaded .zip file to your Desktop
- Launch “sslharden.exe” (Windows may not have the required .NET Framework 3.5. In that case, it should automatically download it for you)
- Under protocols find SSL 3.0 and double-click on it to disable the protocol:
- Close the app. It will tell you indicating the successful addition to the Windows Registry.
Opera and Safari users should wait for their browser’s update.