Blog

Protecting your sensitive data from the POODLE vulnerability

Protecting your sensitive data from the POODLE vulnerability

     In September 2014, Google announced they had found a bug in the SSL 3.0 protocol that leaves your encrypted data vulnerable to hackers. Essentially, the “POODLE” (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows someone to see the information sent between a user and an encrypted website.

     POODLE works by telling the client the server doesn’t support the TLS (Transport Layer Security) protocol, thereby forcing a downgrade to a less-secure SSL 3.0 connection. From here, the hacker can decrypt “secure” HTTP cookies.

     To fix the POODLE vulnerability, Google recommends disabling SSL 3.0 support on servers and clients. Read on to learn how to protect your system from the POODLE exploit.

How to disable SSL 3.0 on your VPS or dedicated server:

Users in the Linux Environment

     Disable the SSLv3 in the Apache Configuration by adding the following line in your configuration file (httpd.conf):

	SSLProtocol All -SSLv2 -SSLv3 

Users in the Windows Environment

     Take the following steps.

  1. Click Start > Run. Type regedit, and then click OK.
  2. Locate this registry key/folder in the Registry Editor:
    HKey_Local_Machine/System/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols
  3. Right-click on the SSL 2.0 folder. Select New and then click Key. Name the new folder Server.
  4. Click the Edit menu inside the Server folder. Then select New and click on the DWORD (32-bit) Value.
  5. Enter Enabled as the name and hit Enter.
  6. Check that 0x00000000 (0) is shown under the Data column. If this value is not shown, right-click and select Modify, entering 0 as the Value data.
  7. Right-click on the SSL 3.0 folder and select New, then Key. Name the new folder Server.
  8. Click the Edit menu inside the Server folder and select New. Click on the DWORD (32-bit) Value.
  9. Enter Enabled as the name and hit Enter.
  10. Check that 0x00000000 (0) is shown under the Data column. If this value is not shown, right-click and select Modify, entering 0 as the Value data.
  11. Restart your computer.
  12. Visit the Public SSL Server Database to confirm that no SSL 2.0 or SSL 3.0 ciphers are available.

     Note that Astral Internet customers can rest easy when it comes to the latest SSL vulnerability: our customers will be happy to learn that they are already protected from POODLE, as all of our shared cloud hosting clients (and clients with service included) are patched to protect against the POODLE security flaw.

     For more details about the POODLE attack, view the official Security Advisory document published by Google researchers.

     To learn more about Astral Internet hosting plans, call us toll-free at (877) 667-0932 or visit https://www.astralinternet.com/en.