Protect your computer from "POODLE Exploits" by disabling SSL 3.0 on your browser:
Google researchers have uncovered a vulnerability in the design of the widely used SSL version 3.0 that allows an attacker to intercept plaintext data from secure connections, putting quite literally millions of browsers in jeopardy.
Researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz created a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack that exploited the flaw, which Kaspersky Lab security expert Sergey Lozhkin, said the vulnerability “allows an attacker to decrypt data transmitted between a user and a website if a vulnerable version of the protocol is in use.”
Since the protocol is so popular, exploitation of the vulnerability “could expose private data, but only if an attacker successfully performed a complicated Man-in-the-Middle (MitM) attack,” Lozhkin said in a statement emailed to SCMagazine.com.
The MitM attack forces “a downgrade to SSL 3.0, an older protocol which the attacker can then exploit,” Jean Taggart, senior security researcher at Malwarebytes Labs, said in a statement emailed to SCMagazine.com. “This is known as a cypher suite rollback attack and allows communications to be intercepted.”
And he recommended disabling “SSL v3 and all previous versions of the protocol in your browser settings. SSL v3 is 15 years old now and has been superseded by the more up-to-date and widely supported TLS protocol, supported by most modern web browsers.”
How can you desable it ? :
* In Firefox :
1)- Go to Mozzila Firefox addon page and add the addon : here
2)- Then go to Tools -> Addon and chose SSL version Control 0.2 and chose Preferences :
- Windows users :
You can use this fix for a shortcut or the pin'd application on the taskbar.
1)- Right click the Google Chrome shortcut on the desktop :
- If you are changing the shortcut pinned to the Taskbar, you must then right click the "Google Chrome" item.
- Click Properties from the drop-down menu.
- You will see the properties menu for the shortcut to Google Chrome :
3. Click inside the "Target" box and scroll all the way to the right (past the quote (")
4. Enter
--ssl-version-min=tls1 :
5. Click "OK" on the properties menu.
6. When asked for administrator permissions, click "Continue":
7. Restart Chrome.
- Ubuntu users :
Thanks to gertvdijk on AskUbuntu.
- Open
/usr/share/applications/google-chrome.desktopin a text editor :
2. For any line that begins with "Exec", add the argument
--ssl-version-min=tls1
For instance the line
Exec=/usr/bin/google-chrome-stable %U should
become
Exec=/usr/bin/google-chrome-stable --ssl-version-min=tls1
3. Reboot
- OS X users :
Thanks to Jorja Hung on GitHub.
- Open Automator from Applications :
2. Double-click "Workflow".
3. Under Library, click Utilities :
4. Double-clide "Run Shell Script" :
5. Replace cat with open -a "Google Chrome.app" --args --ssl-version-min=tls1:
6. In the toolbar at the top of the screen, click "File" and then "Save".
7. In the "Save As" box, type
Chrome-POODLE-Proof.app.
8. In the "File Format" drop-down box, select "Application" :
9. Click "Save".
- Internet Explorer users :
To disable SSLv3 in Internet Explorer on Windows Vista and newer, uncheck the "Use SSL 3.0" box on the "Advanced" tab in the Internet Options program.
- Launch "Internet Options" from the Start Menu
- Click the "Advanced" tab
- Uncheck "Use SSL 3.0"
4. Click "OK"
- Chromium users (Linux users) :
Thanks to David McBride.
On Debian and Ubuntu, edit
/etc/chromium-browser/default :
- Safari users :
Apple has released Security Update 2014-005, which disables CBC-mode ciphers in coordination with SSLv3. The patch is available for Mac OS Mavericks, Mountain Lion, andYosemite.
That's all hope it help ;)
Source : zmap
