SSL 3.0 is Vulnerable and Should Be Disabled

Overview

Security researchers from Google have published details of vulnerability (CVE-2014-3566) in SSL 3.0. The vulnerability is in the design of the protocol, and not in any vendor-specific implementation. This vulnerability could allow an attacker to extract cleartext content from encrypted traffic via man-in-the-middle attacks.

Where applicable, it is recommended that SSL 3.0 be disabled as a supported protocol choice. Only versions of TLS should be supported henceforth.

Details

To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt,

offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. An attacker who controls the network (Public WIFI, for example) between the client and the server can interfere with any attempted handshake offering TLS 1.0 or later, and cause the supposedly encrypted channel to be established with SSL 3.0.

Having forced the client to use SSL 3.0, the attacker could then intercept the encrypted traffic, and by

exploiting a weakness in the CBC block cipher in SSL 3.0, could decrypt porti ons of the encrypted traffic. If the decrypted content includes session authentication data, it could lead to the attacker hijacking the victim’s session and impersonating the victim.

Recommendation

Engineers are advised to consult with respective vendors, or operating manuals, to remove SSL 3.0 from the list of supported protocols. With the removal of SSL 3.0, no other versions of SSL should be supported. Only versions of TLS should be supported from now on. While most modern systems should support TLS, be aware of any legacy systems that might only be able to connect to your services with SSL.