POODLE vulnerability hastens the death of SSL 3.0

Systems that support only SSL 3.0 are being abandoned as systems operators cease server-side support for the outdated standard following the disclosure of a critical bug.

The latest in 2014’s saga of server-side issues is POODLE, an acronym of Padding Oracle On Downgraded Legacy Encryption (otherwise designated as CVE-2014-3556) that was named by the publishers of the disclosure, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz.

POODLE is a flaw in how browsers handle encryption; by negotiating down to SSL 3.0, attackers can alter padding data at the end of a block cipher in a way that forces a slow leak of data. Many of the cipher suites in SSL 3.0 have already been abandoned as insecure, due to small key sizes, biases, and simply having support already removed from browsers.

The POODLE vulnerability allows attackers to exploit the design of SSL 3.0 to decrypt sensitive information, including secret session cookies (and, therefore hijack sessions for users’ accounts). Because the exploit is not being a patchable flaw, it is necessarily hastening the death of SSL 3.0 as a viable standard.

 The public response

Akamai, a popular CDN, has accelerated its deprecation of SSL 3.0, which at present stands at 90% complete, and should be finalized for Secure CDN customers by late October to early November 2014. The firm is also working on a phased deployment for TLS_FALLBACK_SCSV for legacy systems, though they note that since few browsers support this patch, it does not help anyone for the short term. SSL 2.0 traffic is now blocked, and customers supporting only SSL 3.0 are urged to upgrade as soon as possible.

CloudFlare has disabled SSL 3.0 support by default for all customers. Business and enterprise customers have the option of enabling it manually, though CloudFlare strongly discourages users from doing so. The company’s research notes that for HTTPS traffic, only 0.65% of this traffic uses SSL 3.0, which they characterize as being mostly attack traffic and crawlers. They also note that Windows XP traffic constitutes only 3.12% of all “real visitor traffic,” and of those users, only 1.12% use SSL 3.0.

Twitter announced an immediate end to SSL 3.0 support for its services, forcing users to use a browser that supports TLS 1.0 or higher.

Mozilla rolled out an extension for users to immediately disable SSL 3.0. SSL 3.0 will be disabled by default in Firefox 34, which will be released on November 25, 2014. Plans are also in the works to include support for SCSV in Firefox 35.

Möller indicated in a Google blog post that Chrome has supported SCSV since February 2014, and that SSL 3.0 support will be removed completely from client products “in the coming months.”

Does this dog bite?

What, if any, precautions will you take to mitigate this issue? Do you still have production servers that support SSL 3.0? Let us know your thoughts in the comments.

Also see

What Is Apple Pay?

What Is Apple Pay? –

In the Card-Present environment, Apple Pay uses a NFC transmitter in either the iPhone 6, 6 Plus or Apple Watch to transmit secure transaction data from the user’s iPhone to a compatible contactless receiver in a merchant’s store. No real credit card data is transmitted, only a one-time token that is useless if stolen. The customer simply picks a card, taps the phone next to the terminal, and the transaction is completed.


How Do Merchants Accept Apple Pay? –

Merchants need a NFC receiver that is certified for Apple Pay and will need to be on the MSL First Data platform for now – other platforms will undoubtedly be added. Most of the recently-deployed terminals are already compatible with EMV and contactless payment methods (mostly NFC and Apple Pay), which means they only need a receiver to accept Apple Pay. There are a number of receivers that will be made available soon, and they will allow both new merchants and existing merchants to accept PIN Debit, EMV cards, and NFC/Apple Pay. These devices are intended to be backwards compatible with many existing terminals. Apple Pay is also 100% compatible with the CLOVER station using an upgraded FD-40 PIN Pad (available soon).


When Can Your Merchants Accept Apple Pay? –

Apple is scheduled to release final specs on 18th October, 2014. These specs will then need to be certified on the PIN/EMV/NFC devices and then we can start shipping. No merchants anywhere will be able to accept Apple Pay transactions until at least after 18th October. We are unsure exactly when the rollout will occur, but will keep you posted as news develops.