SSL v3 Vulnerability - POODLE

Written by Ilesh Mistry
November 5th 2015

2 minute read

There has been a new vulnerability in SSL v3, which was the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

POODLE, main area of attack is against SSL v3. In particular it allows the attacker to retrieve elements from the SSL connection. Plaintext elements, like cookies, from this connection can be retrieved. As you can see this is something that could prove costly if hackers got hold of sensitive information. 

There is a great article describing this vulnerbility in more detail. The article is by Scott Helme - SSL v3 goes to the dogs - POODLE kills off protocol.

We have come across this on one of our servers that hosts some of our Kentico sites. To fix this, a colleague of mine used this article for guidance and we followed the topic talking about how to fix this in IIS.

Once the instructions have been followed and the appropriate settings have been set, there is a way to check your server configuration changes, using the following link Qualys SSL Test. This then gives you a certificate / report on the page telling you if the site passed the test.

And thats it, there is not a lot to change and it is really simple. 

Have a read of the article I have shown above (also shown below) as it details what you would need to do to be secured from the POODLE attack.

Useful links
SSL v3 goes to the dogs - POODLE kills off protocol
Qualys SSL Test