What to do about the POODLE SSL Vulnerability for Surfers, Admins and Devs
POODLE which stands for “Padding Oracle On Downgraded Legacy Encryption”, describes a security vulnerability in the SSL Version 3 cryptogram used by older Internet browsers. If you’re not a developer, SSL is what your web browser uses to securely send data to web servers when you’re entering information like credit cards. When you see the green HTTPS appear in Chrome, you’re communicating via SSL.
The POODLE vulnerability was identified and released in September 2014 by the Google Security Team, and many Internet service providers are working on deprecating or disabling SSLv3 in their systems to prevent any exploits of the vulnerability. The vulnerability allows a hacker to become the “man in the middle” of a conversation between your web browser and a web server and monitor secure data, steal credit card numbers, etc.
That means that if you run a commerce website using a shopping cart app like WooCommerce and are communicating with a payment gateway like PayPal or Authorize.net, this affects you on multiple levels. First you need to make sure that your server is communicating with your payment gateway using TLSv1.0 at a minimum and definitely not SSLv3. Secondly you need to ensure that your web server is configured to not use SSLv3 and to use TLSv1.0 or greater.
I’ve added enough information below to help you configure both your web server, update your payment gateway code and if you’re just a user, check your browser status and optionally disable SSLv3 in your web browser.
What we’ve done about it at Wordfence:
Note that at Wordfence, we have already upgraded all our servers including our web services and our websites that use SSL to disable support of SSLv3 and only allow TLSv1, TLSv1.1 and TLSv1.2. So we are forcing your web browser to talk to us using a secure protcol. We are also forcing your version of cURL on your WordPress website to talk to our secure server using TLSv1 at a minimum.
Web Surfers:
If you are reading this and are not a developer or website administrator: if you’re curious whether your web browser supports SSLv3, visit this site which includes instructions on how to disable SSLv3 in your web browser. If you disable SSLv3 you either won’t be able to communicate with sites that don’t support the newer TLSv1 or you will force sites that also support SSLv3 to communicate with you securely.
Site admins and web server admins:
Linode has an excellent article on how to disable SSLv3 for POODLE in all major web servers and force those servers to use TLSv1.0, TLSv1.1 or TLSv1.2.
PHP Developers:
Many payment processors like Paypal and Authorize.net have either already updated their secure gateways or are in the process of updating (Authorize.net releases theirs on Nov 4th) to disallow the use of SSLv3 to protect against the POODLE attack.
If you’re a PHP developer writing shopping carts, plugins or anything else that communicates with a server using HTTPS, you’re going to have to update your calls to cURL to make sure your code will still work as payment gateways disable SSLv3.
If you are manually setting the SSL version using:
curl_setopt($ch, CURLOPT_SSLVERSION, 3);
For example, which forces SSLv3, you’re going to have to either change that to:
curl_setopt($ch, CURLOPT_SSLVERSION, 4);
which forces TLSv1 to be used.
Or just comment the line out. According to ZenCart’s forum update, modern PHP negotiates the best SSL connection and if the gateway has disabled SSLv3 and anything else undesirable, you’ll establish a connection using TLSv1.0 or greater.
Please help spread awareness of POODLE and what to do about it to help secure our site visitors and site owners.
Comments
3:06 pm
This is a storm in a teacup.
No one would ever carry out this attack, if they were able to do so, then they would already be in a position to perpetrate a much simpler attack to which there would be no defence.
Listen to Steve Gibson on his Security now podcast for the reasons this is a load of poodle poo.
People are being scared by this ridiculous nonsense, it is like the old chain letter and email warnings that clog up the Internet and inboxes which warning that are hoaxes.
have you any evidence of this attack EVER being pulled off? I doubt it very much.
3:17 pm
I've listened to Steve on occasion - cool guy but WOW his podcasts are long. He goes over 100 minutes occasionally. I think there are many researchers out there who'd love to spend an afternoon debating the feasibility of carrying out the POODLE attack. Lets put it this way: I wouldn't bet my social security number on SSLv3 on public WiFi at BlackHat, DefCon or another locale with high hacker density.
But I think you're missing another issue: If you run a website with SSLv3 enabled after the amount of PR that POODLE has received, you're going to at the very least look bad to your customers and quite possibly get called out about it.
Secondly, payment gateways are disabling support for SSLv3 (many have, some are scheduled to do so in a few days) so if you're using that in your checkout software (many devs are), you will suddenly find your site stops processing transactions and you won't make another cent until you update your code.
6:38 pm
While I agree that there's no reason for fear over POODLE, I absolutely disagree that it is a complete non-issue. MitM attacks are difficult to pull off and so the real risk to users is minimal, yes. Joe Average and Suzy Creamcheese visiting the ABC Widgets web site are at little risk of having their session hijacked.
HOWEVER …
The reality is that vulnerabilities need to be addressed, period. Black hats are in the business of exploiting vulnerabilities, which means that despite the protection that obscurity offers, it's hollow and not a guarantee of safety. If your servers allow SSLv3 connections, you ARE leaving your sessions open to potential SSLv3 fallback-based MitM attacks. With how ridiculously easy it is to tweak a server to disallow this vector of attack, any sysadmin who leaves the vector open should be sacked. Seriously.
Our Hardfocus servers were quickly tweaked to disallow SSLv3 after news of the vulnerability crept out. Of course, it's up to users to get their browsers in line, too. Apple has fallen short in this regard by leaving Safari < v6.2 un-patched and vulnerable to this exploit. That's disappointing, but caveat emptor. Keep your OS X and Safari current, folks.
So, yeah, it's not a topic that deserves sensationalism. I wouldn't ignore it, though. The internet is a dangerous place. If you saw the typical firewall logs of a public-facing server, you'd be appalled at just how many hack attempts happen. That's true even on systems that are largely unknown. Bots don't care about popularity, only vulnerability.
5:04 pm
Thank you for the update. I will definitely check with my local host.
5:01 pm
Hello, Mark & Wordfence team. Thank you very much for providing the alert about the SSL issue. I have a WordPress e-commerce site that is hosted through GoDaddy. I use Woocommerce and PayPal Standard to process orders and payments. I followed the step to disable SSLv3 in my Firefox browser. 1. As the site admin, are there any other modifications I need to make in the background dashboard of my WordPress site? (As a very recent & first time business owner and admin of a e-commerce site, I wasn't sure if your reference to the Linode article required me to do anything else.)
2. Are you aware if GoDaddy and Woocommerce have implemented any security updates/measures to disable SSLv3 and start using TLSv1.0 or greater?