What about POODLE attacks?
If your server still supports SSLv3, then chances are, you're impacting both servers and clients, so it's pretty important stuff. Here are some resources and tests for POODLE vulnerabilities:
New: Just when you thought it was taken care of by removing SSLv3 in favour of TLS, researchers discover that some TLS implementations leave some major sites open to the POODLE attack.
TLS's padding is a subset of SSLv3's padding so, technically, you could use an SSLv3 decoding function with TLS and it would still work fine. It wouldn't check the padding bytes but that wouldn't cause any problems in normal operation. However, if an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections. - Adam Langley
Another quality update courtesy of Qualys Labs:
Update: Are Trusted Canadian Websites Vulnerable to POODLE?
In "Poodle Bug Returns, Bites Big Bank Sites" Brian Krebs reports that some US banks are vulnerable to POODLE attack, at least as determined using the online scanning tool provided by Qualys. We did the same for the major Canadian banks and found that they all got a B and are not vulnerable to POODLE attacks, which is a far cry from the Fs earned by some of their U.S. counterparts. Hooray for relative security! Click the links to see all the reports.
The highest mark we've seen so far goes to:
Sony Canada Online Store
Industry Canada (Business Registrations & Incorporation Services - Up from F on Dec 13, 2014)
Canada Revenue Agency (Up from C on Dec 13, 2014)
Got a question, suggestion or correction? For site updates or comments email Soundbites@SecurityandPrivacy.ca or tweet / follow @datarisk
POODLE on Power Systems
A number of parties have mentioned that midrange systems and the IBM i platform in particular are largely invulnerable to POODLEs. This is not entirely true, as IBM has released a number of advisories to raise awareness of the risk to various products and services:
- IBM Domino impact and Interim fixes
- WebSphere Application Server
- CICS Explorer and Transaction Gateway
- Lotus Notes Traveler
Dec 9 Update:
IBM i shops that continue to use SSLv3 to encrypt their communications are susceptible to the POODLE security vulnerability and could have their data compromised, IBM warned today in a security bulletin. IBM also issued new security patches that disable SSLv3 in IBM i's Java runtime. While IBM recommends moving to the newer TLS protocol, many IBM i applications still require SSLv3 and will likely break when it's disabled, IBM warns. - Alex Woodie