News 10-15-2014

This POODLE Bites: New Vulnerability Found on Servers

Dan Timpson

Today, Google announced a vulnerability in the implementation of the SSL 3.0 protocol, potentially compromising secure connections online. DigiCert and other security experts are recommending system administrators disable SSL 3.0 on their servers and use TLS 1.1 or 1.2.

This vulnerability does not affect SSL Certificates. There is no need to renew, reissue, or reinstall any certificates.

DigiCert DOES NOT have SSL 3.0 enabled on its website or online services and is not vulnerable to the exploit.

SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and...will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. - Google Security Blog

What Should I Do?

You can use DigiCert's free tools Certificate Inspector and the SSL Installation Diagnostics Tool to check if SSL 3.0 is enabled on your servers.

For servers that have SSL 3.0 enabled, DigiCert and other security experts are recommending that you disable SSL 3.0 and use at least TLS 1.0, preferably TLS 1.1 or 1.2. Most modern browsers will support TLS 1.1 and 1.2.

Instructions to disable SSL 3.0:

If you use a hosting provider, we recommend that you call your provider and request that they disable SSL 3.0 on your server.

To protect yourself while on sites that still have SSL 3.0 enabled, you can disable SSL 3.0 client-side in your own browser. See our instructions disabling SSL 3.0 in Internet Explorer, Firefox, and Chrome.

Servers that do not have SSL 3.0 enabled are unaffected.

DigiCert is taking swift action to notify our customers and other community members of the vulnerability, and inform them of the recommended courses of action.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

10-31-2024

Announcing the GA release of DigiCert Device Trust Manager

10-29-2024

Solving the revocation gap with short-lived certificates