Google discovered a critical flaw in SSLv3 and its vulnerability, known as “POODLE”, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL).
How could an attacker exploit the vulnerability?
In a man-in-the-middle (MiTM) attack, an attacker could downgrade an encrypted TLS session forcing clients to use SSL 3.0 and then force the browser to execute malicious code. This code sends several requests to a target HTTPS website, where cookies are sent automatically if a previous authenticated session exists. This is a required condition in order to exploit this vulnerability. The attacker could then intercept this HTTPS traffic, and by exploiting a weakness in the CBC block cypher in SSL 3.0, could decrypt portions of the encrypted traffic (e.g. authentication cookies).
How to disable SSL version 3.0 in windows?
Microsoft suggested some workaround to disable the SSL3.0 in client and server side. Also they mentioned that Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2. Before applying below workaround ensure that all web server has migrated to TSL.
Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Internet Explorer
You can disable the SSL 3.0 protocol in Internet Explorer by modifying the Advanced Security settings in Internet Explorer.
To change the default protocol version to be used for HTTPS requests,
perform the following steps:
1.On the Internet Explorer Tools menu, click Internet Options.
2.In the Internet Options dialog box, click the Advanced tab.
3.In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0,
Use TLS 1.1, and Use TLS 1.2 (if available).
4.Click OK.
5.Exit and restart Internet Explorer.
Note After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.
Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy
You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group
Policy Object.
1.Open Group Policy Management.
2.Select the group policy object to modify, right click and select Edit.
3.In the Group Policy Management Editor, browse to the following setting:
Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
4.Double-click the Turn off Encryption Support setting to edit the setting.
5.Click Enabled.
6.In the Options window, change the Secure Protocol combinations setting to “Use TLS 1.0, TLS 1.1, and TLS 1.2”.
7.Click OK.
Note Administrators should make sure this group policy is applied appropriately by linking the GPO to the appropriate OU in their environment.
Note After applying this workaround, Internet Explorer will fail to
connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.
Disable SSL 3.0 in Windows
You can disable support for the SSL 3.0 protocol on Windows by following
these steps:
1.Click Start, click Run, type regedt32 or type regedit, and then click OK.
2.In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
3.On the Edit menu, click Add Value.
4.In the Data Type list, click DWORD.
5.In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
6.Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
7.Click OK. Restart the computer.
Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.
Reference :
http://support.microsoft.com/kb/187498/en-us