Protect your employees from POODLE with this simple Group Policy

By now you have probably heard about POODLE which looks like it will kill SSL 3.0. If you haven't here is a description from US-CERT:

The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

Microsoft has announced that they will be making a hotfix available that disables SSL 3.0 for Internet Explorer in the registry. You can do that yourself though via group policy be making the following setting:

• In Group Policy Manager create a new Group Policy Object called TLS Settings
• Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Explorer Control Panel > Advanced Page > Turn Off Encryption Support
• In the Secure Protocols Combinations drop down box select: Use TLS 1.0, TLS 1.1 and TLS 1.2 and click Apply

After making that change, your clients will only be able to use TLS 1.0 and above and will be secured from any type of downgrade attacks that take advantage of protocols less than TLS 1.0.

Related articles

• SSL - New Exploits Take a Bite
• Google's POODLE affects oodles
• Apple's Push Notification Service to Drop Support for Buggy SSL 3.0
• POODLE attack digs up downgrade flaw in TLS