What is Poodlebleed?
Poodlebleed is recently found vulnerability in the design of cryptographic protocol SSL version 3.0. Due to this vulnerability, network attackers can extract plaintext of encrypted information from established secure connections. Lately this bug was discovered by Google Security Team researcher Bodo Möller in collaboration with Thai Duong and Krzysztof Kotowicz. Although SSL 3.0 is almost 18 years old protocol, but it is still widely used in servers and supported by all browsers.
The most easiest way to prevent POODLE is to disable SSLv3 support on servers and browsers. However, there are certain limitations to keep in mind while we disable the SSLv3 support. Such as, older systems strictly relying on SSL 3.0 no longer be able to connect with any other cryptographic protocols (TLS 1.0, TLS 1.1, TLS 1.2). Internet Explorer 6 users won’t be able to communicate with any website that do not support SSLv3.
How Can Poodle Affect Servers and Browsers?
POODLE (Padding Oracle On Downgraded Legacy) is kind of protocol downgrade attack which is not new thing in Web Security. When network attackers cause connection failures on latest SSL versions (i.e. TLS 1.0, 1.1, or 1.2), web browsers will be forced to fall back to choose older and vulnerable SSL 3.0 connection. This is will create trouble here.
Attackers can exploit the poodle bug in order to decrypt secure content transmitted between server-browser. This protocol downgrade attack will allow attackers to steal “secure” HTTP cookies (or other bearer tokens such as HTTP Authorization header contents). For the best server-browser security, it is recommended to completely disable SSL 3.0 on all servers and browsers. Additionally, POODLE vulnerability is actually in the protocol itself hence it cannot be patched out like HeartBleed.
How Do I Check If My Browser Is Vulnerable to Poodle?
There are a couple of websites you can visit to determine whether your browser is accepting connections to SSL 3.0 or not.
You can protect your browser from POODLE by disabling SSLv3 support. Therefore, even if the server does offer SSLv3 support, your browser will never use it, even during a poodlebleed attack.
Firefox users can disable SSL 3.0 by just adding SSL Version Control addon.
Chrome and Internet Explorer users can disable SSL 3.0 by following steps mentioned in the following article:
How do I prevent PoodleBleeed in my Windows Server?
To test your server against POODLE, just browse the following page:
Enter any website hosted on your server. This scan will assess your server against potential security vulnerabilities and provide you with the full security report.
If you found your Windows server vulnerable, you need to do following registry settings and a server reboot.
Just browse the following path in Registry Editor;
Inside protocols you will most likely have SSL 2.0 key already, so you need to create SSL 3.0 if needed.
Under SSL 3.0 create a Server key. In the Value Name box, type Enabled, and then click OK.
Exit from the Registry and reboot the server for the changes to take effect
This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.