If You Use SSL 3.0, it’s Time to Migrate Off

Google’s getting ready to phase out SSL 3.0 in Chrome 39 due to it’s vulnerability to “man in the middle” attacks like those presented by Poodle.

apgoogle data center
If they are going there, then you need to move as well. While Google’s move will protect consumers using Chrome, it’s not going to help you if a hacker gets into your network using an old browser that allows downgrade to SSL 3.x or lower short keys and your apps still accept that.

If you still allow old versions of ssl (aka secure sockets layer, now superseded by TLS 1.2,) to be used in your enterprise due to outdated applications or hardware deficiencies then you need to migrate to TLS 1.2 and disallow insecure SSL 3.0 and lower connections that might still use short cryptographic keys. (SHA 256 or better is the current NIST recommendation. See table on page 67.)

You also need to be very aware that several well known web services and applications just one or two versions down sometimes come with older versions of SSL embedded in Apache Tomcat services. A good scanner such as Nessus will reveal that an insecure version of Apache (or whatever) SSL is being used with shorter keys, but it won’t tell you which app is the culprit so you are going to have to monitor the transactions to trace them back if you are not sure which one it is. This is especially true if your app vendor is not coming clean about it. Longer keys also take more server resource to crypt/decrypt so be prepared for a potential performance hit after you upgrade.

From Lucian Constantin at InfoWorld:

The decision comes after Google security researchers recently discovered a dangerous design flaw in SSL 3.0. Dubbed “POODLE,” the vulnerability allows a man-in-the-middle attacker to recover sensitive, plain text information like authentication cookies, from a HTTPS (HTTP Secure) connection encrypted with SSLv3.

Even though POODLE is the biggest security issue found in SSL 3.0 so far, it is not the protocol’s only weakness. SSL version 3 was designed in the mid-1990s and supports outdated cipher suites that are now considered insecure from a cryptographic standpoint.

HTTPS connections today typically use TLS (Transport Layer Security) versions 1.0, 1.1 or 1.2. However, many browsers and servers have retained their support for SSL 3.0 over the years — browsers to support secure connections with old servers and servers to support secure connections with old browsers.