There is a critical vulnerability in the SSL 3.0 protocol which could allow an attacker to decrypt data encrypted in transit. A more up-to-date protocol, TLS, is widely used but connections can be forced to fall back to SSL 3.0 if it is enabled.
Attackers could target unprotected connections like public Wifi to perform a man-in-the-middle attack to steal logins and other institutional or personal data. Attacks are also possible in wired and secured wireless connections, but are less common.
All servers with services that use SSL connections, and all clients as well. This is not just limited to web browsers and web servers.
There are no known public exploits of this vulnerability yet.
Insecure protocols should be disabled in both clients and servers. Fixing either the client or the server mitigates the risk. IU server admins should focus on disabling server-side SSL 3.0 (and SSL 2.0 as well). You may need to do some research on how to fix this for your server software or client. Some examples are provided below.
A list of fixes has been gathered by SANS. Some of these are listed below.
- Apache: Add -SSLv3 to the "SSLProtocol" line. It should already contain -SSLv2 unless you list specific protocols.
- IIS: Follow the instructions here. (Don't download the .reg file) https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
- nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
- Postfix: Disable SSLv3 support in the smtpd_tls_mandatory_protocols configuration line. For example: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
- Dovecot: similar, disable SSLv2 and SSLv3 in the ssl_protocols line. For example: ssl_protocols: !SSLv2 !SSLv3
- HAProxy Server: the bind configuration line should include no-sslv3 (this line also lists allowed ciphers)
- puppet: Puppet does not allow for a runtime configuration. You have to recompile puppet with SSLv3 disabled.
- Google Chrome: you need to start Google Chrome with the "--ssl-version-min=tls1" option.
- Internet Explorer: You can turn off SSLv3 support in the advanced internet option dialog. Instructions for deploying this change using Group Policy are available from Microsoft: https://technet.microsoft.com/en-us/library/security/3009008.aspx
- Firefox: check the "security.tls.version.min" setting in about:config and set it to 1.