Time to Say Goodbye to SSL Version 3.0

ssl-farewell

It is no secret that securing your client’s data is an ongoing process and not something that you can simply install on a server/platform. That is why security solutions and protocols evolve all the time and developers frequently release new versions. The two cryptographic protocols that provide communication security over the Internet are TLS and SSL. The latest version of Secure Sockets Layer (SSL version 3.0) is the predecessor of TLS and is nearly 15 years old. So it was only a matter of time for someone to find the next big issue related to the SSL protocol. Yesterday Bodo Möller from the Google Security Team wrote a blog post about a new vulnerability in the design of SSL version 3.0. The vulnerability allows attackers to calculate the plain text of secure connections.

Possible Fixes:

There are two ways to protect yourself. The first and best way to mitigate this problem is to completely disable SSL version 3.0 on all of your servers and also remove SSL 3.0 support from all client products. For example, Google officially announced in the same blog post that in the coming months they will remove SSL version 3.0 support from all of their client products (including the Google Chrome browser). Cloudflare and Sucuri already stopped supporting it. All other major browsers will also disable SSLv3 by default (Firefox version 34 will be released on Nov 25).

The second solution is to support TLS_FALLBACK_SCSV. This is a solution which prevents attackers from tricking browsers to use the old SSLv3 protocol instead of the TLS protocol. However, this solution is difficult to implement (many people will need to manually compile custom version of openssl) and it is only a new patch which solves this issue but does not provide any guarantees that SSLv3 won’t become vulnerable again a week from now.

Our Solution:

Based on a detailed analysis of our network and the traffic towards our servers we decided to completely remove SSL version 3.0 support. As a matter of fact, a big portion of our servers have already been configured to support only the TLS encryption protocol and we’re in the process of reconfiguring all machines that are part of our infrastructure.

Possible Issues:

We know that some web applications still use SSLv3. Let’s say that for example a developer has decided to configure his/her PHP app to use SSLv3 via the CURLOPT_SSLVERSION option. Unfortunately, if such application connects to our servers, the connection will not be established and the developer will need to patch the code of the app. Our analysis shows that less than 0.05% of all traffic towards our servers is SSLv3. Thus, we do not expect such issues to occur, but we still encourage our customers to contact us via our Helpdesk if they notice any SSL-related issues.

Enterprise Cloud Solutions Architect

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

6 Comments

  1. Reply October 18, 2014 / 13:19 MaxSiteGround Team

    Thanks for being awesome SiteGround 🙂

    Keep up the great work on proactive security!

    Aloha

  2. Reply October 19, 2014 / 21:02 Rod WarrixSiteGround Team

    I'd like to also thank you for posting this. I did not see or hear anything before seeing it here and it's good to know that these security vulnerabilities are out there and active and helps to find the solution to our personal or business websites hosted with Siteground even thou you have got the best secured hosting around with lots of understandable features to offer us all to help us keep our sites optimized, clean and secure. I have not had really one problem in like the three years with you! Great support and team efforts making hosting with you easy and simple. Thanks a lot.

  3. Reply October 21, 2014 / 07:57 Gert SteenssensSiteGround Team

    Hi, Glad to hear that.
    which i guess is also the reason why the siteground control panel is now *not* defaulting to RC4 anymore, good thing it got dropped with this change... a thing cryptographers have been recommending for some time (http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html)

    also, how do I force the control panel to now use AES instead of 3DES (ew) ?

  4. Reply October 25, 2015 / 15:00 Sandra MoserSiteGround Team

    I have a old pc a xp , what can i do so i can still use it ?

    • Reply October 27, 2015 / 03:53 Marina YordanovaSiteGround Team

      If you have an older version of Windows, such as Windows XP, make sure it is at least patched with SP3 to be able to access sites with SSLv3 disabled.

  5. Reply June 2, 2016 / 02:13 Shahar BahasiSiteGround Team

    Thank you for simplifying

Reply to Rod Warrix Cancel

* (Required)