Security bug in SSL 3.0 - POODLE

Laptop with padlock

[17 October 2014]

A security bug has been identified in widely used web encryption technology that allows attackers to decrypt encrypted website connections, this has been referred to as POODLE – short for Padding Oracle On Downgraded Legacy Encryption.

The bug is not easy to exploit and would need an attacker to control the internet connection between the browser and the server, a so-called man-in-the-middle attack. This could be achieved over insecure / unencrypted wi-fi access points.

This supports our general advice to staff not to use insecure / unencrypted wi-fi for access to University services using Single Sign On. 

What is IT Services doing about the bug?

SSL 3.0, is an 18-year-old protocol that has been superceded by the encryption protocol TLS, which does not suffer from the POODLE shortcoming. 

The general advice, which the University will implement, is to stop using SSL 3.0 and instead use TLS for secure server connections.

We will also ensure that University managed web browsers use the TLS protocol.

Advice for staff and students

Please note that it is likely that most websites globally will now disable SSL 3.0. When this change happens browsers using SSL 3.0 will not be able to access secure pages on those websites.

Most modern web browsers have TLS enabled but problems could be encountered with older, outdated browsers.  We are aware of a particular issue with Internet Explorer 6 on Windows XP.

If you encounter problems accessing secure webpages using Internet Explorer 7 & 8  you may need to enable TLS.

Instructions to enable TLS in Internet Explorer :

1) Select "Tools" > "Internet Options". NOTE: Depending on your IE settings, the "Tools" menu may be a gear icon in the upper right hand corner.

2) Go to the "Advanced" tab.

3) Scroll down to the "Security" section.

4) Locate and deselect "Use SSL 3.0" and select "Use TLS 1.0". If you browser has additional TLS options, such as TLS 1.1 and TLS 1.2, these should also be selected.

5) Then, press the "OK" button.

You may need to close and reopen all open browsers in order for these new settings to take effect.