POODLE: Be Careful or It Will Bite

Thursday, October 23, 2014
WEST LAFAYETTE,  – 

If you are a healthcare organization that still employs the widely used, 15-year-old Secure Sockets Layer version 3.0 (SSL 3.0) security protocol, then the data in your web browsers, VPNs, and email clients is vulnerable to POODLE.

Poodle with inset cartoon hackerPOODLE stands for Padding Oracle on Downgraded Legacy Encryption. It's a threat that allows hackers to steal information over time by altering communications between the SSL client and the server, especially if both the client and server support SSL 3.0.  In this case, the attacker can leak approximately one byte of clear-text for every 256 requests. To leak enough data for the attacker to hijack a typical HTTP over SSL session, it would be take a few minutes and approximately 2,000 forced requests by a hostile website connecting to another server in the background.

Recommendations from PHA Senior Advisor-Security George Bailey:

  1. Disable SSL 3.0 on all clients and servers. Start with your most business-critical, high-value assets, e.g., EHRs. Patient Portals, VPNs, Point of Sale systems, other line of business applications.  Don't forget about your STARTTLS-compliant services, such as IMAP, POP3, and SMTP.
  2. Getting a log summary of which encryption ciphers clients and browsers are using will help you understand how many people will be impacted.
  3. Because of its impact on your internal and external customers, you will likely need to stage this change over time. It's important to clearly communicate what you're planning so they understand the implications, too.

Additional notes:

  • If SSL2 and SSL3 are disabled in the web browser, the issue is not exploitable
  • If SSL2 and SSL3 are disabled on the server, the issue is not exploitable
  • If for some reason you still have Windows XP users running Internet Explorer 6, this will prevent attackers from accessing TLS-only services. Keep in mind that these users will not be able access most of the internet once SSL 3.0 is blocked by major service providers. Windows XP users can switch to Chrome or Firefox as alternatives to Internet Explorer.

Writer: George Bailey, 765-494-7538, baileyga@purdue.edu

Tags: Health IT Security

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program taphelp@purdue.edu.