Today, Google announced a vulnerability in the implementation of the SSL 3.0 protocol, potentially compromising secure connections online. DigiCert and other security experts are recommending system administrators disable SSL 3.0 on their servers and use TLS 1.1 or 1.2.
This vulnerability does not affect SSL Certificates. There is no need to renew, reissue, or reinstall any certificates.
DigiCert DOES NOT have SSL 3.0 enabled on its website or online services and is not vulnerable to the exploit.
SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and…will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.
– Google Security Blog
What Should I Do?
You can use DigiCert’s free tools Certificate Inspector and the SSL Installation Diagnostics Tool to check if SSL 3.0 is enabled on your servers.
For servers that have SSL 3.0 enabled, DigiCert and other security experts are recommending that you disable SSL 3.0 and use at least TLS 1.0, preferably TLS 1.1 or 1.2. Most modern browsers will support TLS 1.1 and 1.2.
Instructions to disable SSL 3.0:
If you use a hosting provider, we recommend that you call your provider and request that they disable SSL 3.0 on your server.
To protect yourself while on sites that still have SSL 3.0 enabled, you can disable SSL 3.0 client-side in your own browser. See our instructions disabling SSL 3.0 in Internet Explorer, Firefox, and Chrome.
Servers that do not have SSL 3.0 enabled are unaffected.
DigiCert is taking swift action to notify our customers and other community members of the vulnerability, and inform them of the recommended courses of action.
Will we need to switch SSLv3 back on again when the problem is patched?
Hi Jonny,
Because SSL 3.0 is an outdated protocol it is not a good idea to re-enable it if/when patches are released. Almost all browsers support TLS and most of your users should not experience issues if you do not re-enable SSL 3.0. DigiCert and other security experts are highly recommending moving away from SSL 3.0 permanently. If you have users on very old browsers (such as IE 6) you should encourage them to upgrade their browser to something newer and more secure.
Great thanks. Any chance of an article explaining the SSLCipherSuite options.
I currently have the default of:
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
But I would like to know how to make this a little tighter.
The short answer is that your settings will really depend on what you are trying to accomplish. But I think it would be a worthwhile topic to write about and give best practices/information on each of the ciphers and in what scenarios you would enable or disable them. I’ll try to get something like that posted 🙂
I’ve written a couple of articles that contain details on how to harden your server config for more secure SSL here https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/ and here https://scotthelme.co.uk/squeezing-a-little-more-out-of-your-qualys-score/. There’s also a few articles that are linked in there and cover HSTS, Perfect Forward Secrecy and OCSP Stapling that you should also consider.
Thanks for the links! Hopefully we can write something like this soon.
The links on how to disable SSLv3 on the server platforms are great but it’s also worth noting that clients can disable SSLv3 in their browsers. This way, you don’t need to wait for sites to drop support for protection, you can protect yourself: https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/
Hey Scott,
Yes, disabling SSLv3 support in your own browser is a great proactive way to protect yourself. We actually have an article on this on our site:
https://www.digicert.com/ssl-support/disabling-browser-support-ssl-v3.htm
Thanks for the note!
Oh, I’d missed that when searching around!! Sorry and thanks for the link 🙂