Loophole protection approaches of SSL V3

We just learned from OpenSSL official website of SSLv3-Poodle attack. Please take notice of it. For more information, please visit https://www.openssl.org/~bodo/ssl-poodle.pdf.

This loophole runs through all versions of SSLv3. Hackers can successfully get transmission data (like cookies) by middleman attack or other similar ways (as long as the both ends of the data hijacked use SSL 3.0 to encrypt), taking advantage of this loophole. As before this post, there was no patch being released.

WoSign suggest users to stop client side SSL v3 support or server SSLv3 support or both.

Stop server SSLv3 support:

Nginx：

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-

RSA-AES256

SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE

RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;

ssl_session_timeout 5m;

ssl_session_cache builtin:1000 shared:SSL:10m;

Apache:

SSLProtocol all -SSLv2 -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-

RSA-AES256

SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE

RSA-AES128-SHA:RC4-SHA:!aNULL:!MD5:!DSS

Stop client side SSLv3 support:

Google said Chrome browser has shielded the browser from automatically downgrading to SSL 3.0 link by technical means.

Approach of manually shutting off SSL 3.0 support:

Windows:

1) Close the Chrome browser completely

2) Copy a shortcut of opening Chrome at ordinary times

3) Click the right-hand button on the shortcut and enter Attribute

4) Type in the following order at the end of the fields after Object: --ssl-version-min=tls1

Mac OS X:

1) Close the Chrome browser completely

2) Find the Terminal equipped in your computer

3) Type in the following order: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ssl-version-min=tls1

Linux:

1) Close the Chrome browser completely

2) Type in the following order in the Terminal: google-chrome—ssl-version-min=tls1

Firefox users can enter about:config by typing it in the address bar and then adjust security.tls.version.min to 1.

After testing, XP, 2003, Win7 and Win8 of PC can be accessed normally when SSLv3 is shut down.

Meanwhile, mobile end like Android 2.2 or above, Windowphone and iPhone can access normally.