Bob Cromwell blog post on LibreSSL mentioned the POODLE attack recently. POODLE has caused a lot of discussion of SSL (Secure Sockets Layer), TLS (Transport Layer Security) and corresponding browser and server support. Browsers support different encryption algorithms and security protocols to allow users to access sites that support those protocols. Likewise sites support different encryption algorithms and protocols to try to support as many browsers as possible. Supporting older browsers may mean supporting weaker encryption. Fortunately, there are tests for who supports what. I’m showing one of each here – browser and server – but there are others. I’m not endorsing these, per se, I just use them sometimes.
First up is a browser test. Let’s look at my Firefox 37.0.2 browser.
You can see that my Firefox browser is vulnerable to POODLE and some of the Cipher Suites It prefers (there are more, too). After installing and configuring the SSL Version Control plugin, I am no longer vulnerable to POODLE and I no longer support SSL.
I also tried Internet Explorer 11. Note that it is not vulnerable
The server analysis gives a lot more information. This is part of the results of a server I use frequently. First up is the overall grade. This is especially useful for going to the IT department and saying “see, we need to configure our servers more securely.”
Now we have the protocols and ciphers. Note the weak cipher still supported (probably for international customers) and the lack of SSL support
I hope this introduction to browser and server support helps you be more confident in your browsing and can help you make your users and customers more secure.
For more, have a look at Learning Tree’s course on Securing Web Applications where securing communication with SSL/TLS is covered.
To your safe computing,
John McDermott