POODLE: SSLv3 vulnerability (CVE-2014-3566)

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

It is suggested to turn off this SSLv3 in the server side. And we can also disable it on the client side.


Please see the Mozilla Security Blog for how to protect yourself (plug-in available under “Additional Precautions”).

Alternatively, you can set the value security.tls.version.min = 1 in the about:config dialog.

Google Chrome

Chrome does not have a setting configurable in the user interface to turn of SSLv3. Instead, Chrome needs to be told not to use SSLv3 at launch. To automatically launch Chrome with SSLv3 disabled, follow the instructions for your operating system below.

  1. Enter --ssl-version-min=tls1  udner target to the Chrome browser property icon.
  2. Alternatively, you can edit the http/shell/open/command registy value in HKEY_CLASSES_ROOT to specify --ssl-version-min=tls1at the end, similar to the following example:"C:\Program Files\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 -- "%1". This will protect you even if you open Chrome by clicking a link in an email or other document. Thanks to Dr. Thomas Kunst.

Internet Explorer

To disable SSLv3 in Internet Explorer on Windows Vista and newer, uncheck the “Use SSL 3.0” box on the “Advanced” tab in the Internet Options program.

  1. Launch “Internet Options” from the Start Menu
  2. Click the “Advanced” tab
  3. Uncheck “Use SSL 3.0”


Apple has released Security Update 2014-005, which disables CBC-mode ciphers in coordination with SSLv3. The patch is available for Mac OS Mavericks, Mountain Lion, andYosemite.

source from https://zmap.io/sslv3/browsers.html

Leave a Reply

Your email address will not be published.