SSL 3.0 Protocol Vulnerability and POODLE Attack
All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website.
We highly recommend disabling SSL 3.0 as well as SSL 2.0 if applicable.
To disable SSL 2.0/3.0 in IIS 6 or IIS 7:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate the following registry key/folder:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
5. Enter Enabled as the name and hit Enter.
6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
7. Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.
8. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
9. Enter Enabled as the name and hit Enter.
10. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
11. Restart the computer.
This process is the same for IIS 6 (Windows Server 2003) machines. The server folder under SSL 2.0/SSL 3.0 will already be created so you will only need to create a new DWORD value under it and name it Enabled.
To disable SSL 3.0 in IIS 8 (Windows Server 2012):
1. In the Search menu type regedit.exe
2. Right-click on regedit.exe and click Run as Administrator
3. In the registry editor go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
4. In the navigation tree, right-click on Protocols, and in the pop-up menu, click New > Key. Name the key SSL 3.0.
5. In the navigation tree, right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key. Name the key Client.
6. In the navigation tree, right-click on the new SSL 3.0 key again, and in the pop-up menu, click New > Key. Name the key Server.
7. n the navigation tree, under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value. Name the value DisabledByDefault.
8. In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value.
9. In the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then, click OK.
10. In the navigation tree, under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value. Name the value Enabled.
11. In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value.
12. In the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK.
13. Restart your Windows server.
Once you have disabled the protocols, you may test your server at www.poodlescan.com.
