[IS&T Security-FYI] SSL 3.0 Vulnerability Disclosed
Monique Buchanan
myeaton at mit.edu
Thu Oct 16 11:54:19 EDT 2014
For this issue I am forwarding along a message that went out to the Security SIG list and IT Partners last night:
1. SSL 3.0 Vulnerability Disclosed
Good Afternoon,
Engineers at Google have disclosed a vulnerability in SSL 3.0 that can allow a network attacker to decrypt the contents of certain encrypted web communications.
The exploit is being called POODLE (Padding Oracle On Downgraded Legacy Encryption) and is made possible by the abuse of a deprecated encryption protocol included in most web browsers, and web servers, for legacy site and/or browser compatibility.
As a result of this disclosure, both Google and Mozilla have committed to completely removing SSL 3.0 from Firefox and Chrome in the coming months. In the coming days, we expect to see other browser makers, specifically Microsoft (Internet Explorer) and Apple (Safari), publish plans on how they will be protecting users from the POODLE vulnerability.
Locally, IS&T plans to upgrade all of its systems to remove SSL 3.0 support and is working to discover non-IS&T sites that still using SSL 3.0 to secure communications. Once discovery is complete, notifications will be sent out to site administrators.
IS&T will update this thread as more information is made available from browser makers and as stop-gap mitigation steps are published.
Regards,
Security Operations
A copy of this message can be found on The Knowledge Base: http://kb.mit.edu/confluence/x/GIEwCQ
--------------------------
RELEVANT LINKS
Google Disclosure: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Mozilla Disclosure: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Imperial Violet: https://www.imperialviolet.org/2014/10/14/poodle.html
POODLE Technical Paper: https://www.openssl.org/~bodo/ssl-poodle.pdf
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20141016/a8487588/attachment.htm
More information about the ist-security-fyi
mailing list