About the SSL 3.0 security vulnerabilty known as POODLE

October 16, 2014

A vulnerability in the SSL 3.0 protocol has been recently unveiled. It affects boths clients (browsers) and servers. If you are using HTTPS on Abyss Web Server, please keep on reading.

The vulnerability

CVE 2014-3566 (a.k.a POODLE) affects servers still running SSL 3.0. It takes advantage of the cipher block chaining (CBC) encryption implementation and allows attackers with a Man-in-the-Middle position to "guess" the contents of a secure payload based on responses received from requests sent by a compromised client to a legitimate server (Technical details about the attack.)

Is Abyss Web Server affected?

Modern versions of Abyss Web Server support SSL 3.0 but do not allow CBC ciphers by default. As such, POODLE is mitigated by the omission of that cipher suite implementation and your server is not affected by the vulnerability.

If you are using the strong SSL/TLS ciphers, SSL 3.0 ciphers are already disabled and SSL 3.0 is not even allowed; so you are safe from POODLE and any attempts to use it.

Being on the safe side by fully disabling SSL 3.0

Legacy browsers (such as Internet Explorer 6 and some old mobile browsers) still need SSL 3.0 to access HTTPS. If these are not representing a large chunk of your visitors, and if you want to be on the safe side, you can disable SSL 3.0 support as follows:

  • Open Abyss Web Server's console.
  • Click on Configure for the host which has HTTPS enabled.
  • Select General, then press Edit... in front of Advanced Configuration.
  • Set TLS/SSL Ciphers to Custom Ciphers Suite and set the text field next to it to:

    RC4-SHA:HIGH:MEDIUM:LOW:DEFAULT:-EXP:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!SSLv3

  • Press OK and restart Abyss Web Server.

Being radical and supporting modern TLS only

If you are obsessed with security and are sure that your visitors are not using old browsers (such as Internet Explorer 7 or 8) nor accessing your sites using Android 2.x phones, you can configure your server to not use SSL 3.0 and to refuse weak and medium ciphers that are supported by TLS 1.0. For that:

  • Open Abyss Web Server's console.
  • Click on Configure for the host which has HTTPS enabled.
  • Select General, then press Edit... in front of Advanced Configuration.
  • Set TLS/SSL Ciphers to Strong.
  • Press OK and restart Abyss Web Server.