DBSA:2014-0015
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - SSL 3.0 Vulnerable - Discontinue Use Immediately
Keywords: SSL, Encryption, Secure Sockets Layer, Firefox, Internet Explorer, Chrome
DBSA ID: 2014-0015
Regarding: SSL 3.0 Vulnerable - Discontinue Use Immediately
Writeup: Kradorex Xeron (talk) 20:45, 18 October 2014 (EDT)
Date: 2014 10 18
Last Modified: 20141018195403 by Kradorex Xeron
Who should take note: Everyone
Classification
Priority: HIGH
Rationale: SSL 3.0 usage must be discontinued immediately due to plaintext recovery vulnerability
Severity: HIGH
Rationale: Confidential data could potentially be disclosed.
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: All platforms and all network-connected systems that deploy SSL 3.0 are vulnerable.
Description
Secure Sockets Layer Version 3.0 (SSL 3.0) is an encryption method utilized by various software and services to ensure data delivery is secure against interception. Recently a vulnerability has been disclosed in SSL 3.0 whereas it is possible to recover the clear "in the open" information being transmitted over an encrypted session. There is a secondary element where an attacker could trick a browser into downgrading from a more secure TLS (Transport Layer Security) session into the vulnerable SSL suite. The TLS versions have lesser version numbers but are more modern and secure than any SSL version.
Mitigation/Solution
Users are advised to upgrade their software as updates are released, in the meantime it is recommended to disable SSL usage and only accept TLS connections. Be cautious when utilizing a SSL session, perhaps discontinuing usage of these services until they offer TLS. Users may utilize the link in the References section to detect if they are vulnerable to the downgrade attack and to test during implementation of this advisory.
Under Mozilla Firefox, it is advised to enter into the address bar "about:config" (no quotes, no www., no http://) and accept to enter into the advanced configuration mode, then to enter into the search bar at the top of this page "security.tls.version.min", a single entry should be displayed. Double click and edit to "1", this should effectively disable the vulnerable SSL 3.0. Firefox users may check what security suite services utilize by clicking the icon next to the address bar, and clicking "More Information", look under "Technical Details" for a prefix of "SSL_" or "TLS_", the former is vulnerable.
Under Microsoft Internet Explorer, under the "Tools" or Gear icon menu, go to "Internet Options", then select the Advanced tab, uncheck "SSL 3.0" on that list (and prior versions as well), ensuring TLS options are checked.
Chrome has no known option for this, it is advised to use the other browsers for secure site usage until Google releases a patch.