POODLE Attack: Registry Settings to Disable SSL 3.0

email me

A POODLE attack is an exploit that takes advantage of the way some browsers deal with encryption. POODLE (Padding Oracle On Downgraded Legacy Encryption) is the name of the vulnerability that enables the exploit.

Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Microsoft is announcing that with the release of security update 3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11. Microsoft is also announcing that SSL 3.0 will be disabled across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.

Mitigating Factors

  • The attacker must make several hundred HTTPS requests before the attack could be successful.
  • TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Recommendation

Disable SSL 3.0.

 

Solution – Issue command

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings” /v SecureProtocols /t REG_DWORD /d 2688

The reg mod is the same as making the following change to the local group policy:

  • Browse to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
  • Change Turn off Encryption Support setting to “Enabled”
  • Under Options, change the Secure Protocol combinations setting to “Use TLS 1.0, TLS 1.1, and TLS 1.2”

 

Notes

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3009008