On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol was disclosed. This vulnerability, called POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack.
Vulnerabilities in certain SSL certificates and connections force companies worldwide to apply security patches and to disable certain connections, like version 3 of Secure Sockets Layer (SSLv3).
One of the solutions includes disabling SSLv3. Unfortunately, there is no patch for this to install. The only action that solves the problem is disabling SSLv3 in every application that uses it.
Impact of Disabling SSLv3
There’s little impact for most people and businesses in disabling SSLv3 because they are not relying on SSLv3 to make connections via SSL/TLS. The large majority relies on TLS.
In some cases it may however affect companies and organisations that are still relying on SSLv3. There is a way to detect whether your company relies on SSLv3. Check this link to view specifications on detecting if you are using SSLv3.
Applying security patches or disabling SSLv3 may lead to lost connections, but actions should be taken to ensure that you are not vulnerable in your roles as both a client and a server. Since encryption is usually negotiated between clients and servers, it is an issue that involves both parties.
Servers and clients should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fullback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.
Continuing process of securing protocols
Although updating and patching the old software might be a hassle, it is wise to verify whether encryption protocols and techniques have been out-dated or not. Securing these protocols and techniques is continuing process and part of daily returning security measurements and improvements.
CM’s support team is pro-actively involved in this matter. If you experience any issues regarding these vulnerabilities, please do not hesitate to contact our service & support team.