Is SSL 3 dead in your organization? It should be!

Adi Raina, , ,

It has been a rough year for SSL. When Entertainment Tonight starts covering your vulnerabilities, it’s obvious that people who don’t even understand Internet security lack trust.  This also means that developers and admins need to dust off that reliable code to change the security protocol sooner than later!

With the recent advisory around the POODLE vulnerability in SSL 3, I would advise developers to aggressively change security protocol to TLS.

Getting your business customers behind a security change might have been difficult a few years ago, but it should not be anymore. With all the news around data breaches, a good case can be made around spending hours and money on product security without any visible changes to the product for users.  It will pay off in the future if the data from your product and your organization is secure!  That data is the key to the success (since it’s customer information many times) of your organization and can destroy customer trust in the wrong hands.

Here’s the recommendation from Google’s security gurus:

The attack described requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it. If either side supports only SSL 3.0, then all hope is gone, and a serious update required to avoid insecure encryption. If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability.

Disabling SSL 3.0 entirely right away may not be practical if it is needed occasionally to work with legacy systems. Also, similar protocol version downgrades are still a concern with newer protocol versions (although not nearly as severe as with SSL 3.0). The TLS_FALLBACK_SCSV mechanism from [draft­ietf­tls­downgrade­scsv­00] addresses the broader issue across protocol versions versions, and we consider it crucial especially for systems that maintain SSL 3.0 compatibility.

You can find the full report here: https://www.openssl.org/~bodo/ssl-poodle.pdf

Published by Adi Raina

I primarily provide integration solutions using technologies such as BizTalk, Informatica, SSIS, SFDC, and others. I also do a lot of work with SQL and .NET Integration is my passion and I love solving the complexity of a system to system map, allowing businesses to succeed! For the past 10 years, I have been working with Innovative Architects for customers around the nation. All views expressed in the blog are solely mine and do not represent views of my employer.

Leave a comment