WirelessPhreak.com

travel, science, technology, and all other geeky things
Follow Me

Well they have used up all the awesome vulnerability names, hence the POODLE Attack (Padding Oracle In Downgraded Legacy Encryption). Twitter security chatter has increased around the POODLE Attack and there has been a CVE number assigned CVE20143566.  

Links to both the google paper and the CVE.
High Level Explanation:
The quick and dirty is even if a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around server side interoperability bugs. In the google security advisory, they discuss how attackers can exploit the downgrade dance and break the cryptographic security of SSL 3.0.

The only real work around is to disable SSL 3.0 but for many web admins supporting legacy clients, Window XP running i.e.6 for example, disabling SSL 3.0 is not an option. 

If you end up enabling SSL3.0 you can enable TLS_FALLBACK_SCSV. This forces a more controlled negations of ssl between the client and the server limiting the possibility of clients and servers skipping protocols during the SSL negotion.

I will add more specifics to the F5 and how you would enable the TLS_Fallback command, as well as how to order your SSL protocol and cypher strengths.

***UPDATE***
According to F5 they do not currently support the TLS_FALLBACK_SCSV cipher. There is talk about an engineering hot fix that may include support but there is no solid ETA.  F5 is recommending you disable SSL 3.0 where you can.


OpenSSL command to test if a webserver supports SSL3.0:

openssl s_client -connect target:443 -ssl3
If the command makes you enter more information, then you just made an SSLv3 connection. If the command returns you to a prompt right away, then SSLv3 is disabled on that target host.