white fully poodle standing with owner on grass

Ask The Expert: POODLE SSL Vulnerability

(0)

 


For those of us out of the loop, a POODLE is a dog. Heard the old joke. It’s raining cats and dogs out, don’t step in the poodles. Seriously.

563px-Poodle_cropped
We’re not going to be talking about this kind of poodle (source).

For those of us in the know, POODLE can pose a serious threat to your businesses if not caught and corrected.

The POODLE SSL vulnerability is a technically complex issue. The following blog post with our recommendations for negating the POODLE SSL vulnerability will necessarily follow suit. If you have a hard time following the description of the POODLE SSL vulnerability or how to safeguard your business against it, VL highly recommends passing this blog article off to your business’ IT department.

Alternatively, VL is always happy to discuss these types of issues and their solutions with you any time. You can book a time slot to speak with one of VL’s many experts about this issue by clicking the button below.


Why do businesses resist keeping their critical business software up-to-date?

Sometimes businesses have a tendency to treat their business systems like China dolls. “If it ain’t broke, don’t fix it. It’s working so don’t touch it or even breathe too heavily on the server or else our invoices will stop getting sent.” That’s really an unenlightened attitude, one that smacks of voodoo and superstition. And it’s no way to run a modern business.

Other businesses hang on to old software and systems far too long. It may be for reasons like those above, or it may be simply that the business is loath to spend more on IT to upgrade a perfectly working integration setup. But those businesses are setting themselves up for a world of hurt down the road.

For instance, recent weeks have seen news of increasingly nasty vulnerabilities in encryption technologies. The POODLE SSL vulnerability is one we at VL have been grappling with of late. Some of our clients have approached us wondering if their secure eCommerce and EDI traffic is vulnerable, and if so, can the vulnerability be patched?

Sadly, the answer is no for some clients because the versions of software and systems they are running are so old that the software and OS vendors are no longer supporting it. That means vulnerabilities like this will not get patched, leaving you open to hacker attacks.

Older versions of the Liaison ECS and Delta software have no way to address this POODLE SSL vulnerability, provided you are exposed to it. Newer versions have implemented a way to specify the version of SSL to use for the encrypted connection, which is an effective way around the issue.

Don’t wait until you’ve already been hacked and can’t close the vulnerability. Upgrade today and stay one step ahead of the nasty hackers!

What is the POODLE SSL vulnerability?

In October 2014, researchers announced a new web vulnerability called POODLE:

POODLE: Padding Oracle On Downgraded Legacy Encryption

What this vulnerability means is that a “man-in-the-middle” attacker can force encrypted web communication to use the insecure SSL 3.0 web encryption protocol, and then break the encryption.

 width=

Attackers may force the communication between a client and server to downgrade from TLS to SSL 3.0 to be able to decrypt the network communication (

“To explain [POODLE] in simpler terms, if an attacker using a Man-In-The-Middle attack can take control of a router at a public hot spot, they can force your browser to downgrade to SSL 3.0 (an older protocol) instead of using the much more modern TLS (Transport Layer Security), and then exploit a security hole in SSL to hijack your browser sessions. Since this problem is in the protocol, anything that uses SSL is affected.” (Google’s press release on POODLE explains in more details the harm this vulnerability can cause:

“SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.”

While many web browsers have adjusted their services to avoid POODLE, some of the applications your business uses may not have had this vulnerability patched.

Recommendations on Moving Forward

VL recommends for our customers with an on-premise license of Liaison ECS to upgrade to the latest release. This provides a mechanism for disabling SSL 3.0 on input, output, and listener/path channels.

For versions of ECS earlier than 7.1.3005 (released 7/16/2014), the only remedy is to upgrade to the latest version of ECS. If you have a valid Maintenance contract with Virtual Logistics, this upgrade is free. The latest release provides new controls for closing this vulnerability.

Once upgraded to ECS 7.1 or later, edit every HTTPS and FTPS input channel, listener/path channel, and output channel to disable SSL 3.0 as an allowed encryption protocol. That closes your vulnerability to POODLE SSL attacks.

All parties concerned with the POODLE SSL vulnerability may also want to check to ensure that all their partners support encrypted web communication using TLS 1.0 or better.

Google is working on removing support for SSL 3.0 completely from their client products, and Mozilla, Microsoft, and Apple are following suit with their client products to varying degrees – read more about what these companies are doing to mitigate POODLE source).

The second approach is to implement ‘anti-POODLE record splitting’, which splits the records into several parts and ensures none of them can be attacked. This approach also has drawbacks as it might cause compatibility issues (Google’s Online Security Blog

 

Click here to contact VL now, or click below to have VL contact you if you are concerned about the POODLE SSL vulnerability, or want to know more about how VL can help:

To stay on the pulse of data integration news, subscribe to VL’s blog:

Leave us a reply

Comments (0)

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close