A security vulnerability known as POODLE was publicly announced that affects a relatively low number of Internet connected devices. However, this vulnerability is critical and could allow an attacker to read encrypted information, even when passed over an SSL connection. In order to fully mitigate this vulnerability, Agile Ticketing will be disabling SSL v3 completely from our infrastructure on Tuesday, April 14, 2015. The impact of this change should be very minimal. Clients still running IE 6 on Windows XP or older Windows Mobile gate control devices will not be able to establish a connection after these changes.
While not vulnerable, Agile Ticketing has taken this issue seriously by following the steps below.
What we've done:
- Validated that Agile Ticketing is not vulnerable to the published vulnerability. We do not enable CBC ciphers in SSLv3, which is a key component to executing the current exploit. Our mitigation is similar to the recommendation that Google has made here.
- Validated that our data center and security partners have mitigated this issue with their services.
What we will continue to do:
- Like many other companies, to avoid future SSLv3 weaknesses, we will be disabling SSLv3 across the Agile Ticketing platform.
- Utilize both our internal and third-party threat intelligence capabilities to continue to monitor for potential attacks related to Agile Ticketing. Continue to scan and monitor our infrastructure for any possible weaknesses.
What you should do:
- Upgrade your browser to the latest version. If using Internet Explorer 6, move to a more modern, supported browser.
- Disable SSLv3 support within your browser. You can check if your browser is vulnerable by going here and looking for SSLv3 “Yes”. To disable SSLv3 support, making the following changes and restart your browser:
- Mozilla Firefox
- Open about:config, find security.tls.version.min and set the value to 1.
- Google Chrome
- Newer versions of Chrome support TLS_FALLBACK_SCSV, which mitigates this issue.
- You can explicitly disable support for SSLv3 by issuing the command line command --ssl-version-min=tls1. Further instructions about using command line flags can be found here.
- Internet Explorer
- Go into “Internet Options”, “Advanced”, and uncheck SSLv3.
- Become familiar with the issue. This blog post provides an excellent breakdown of the vulnerability.
- Scan your own infrastructure for this vulnerability using available tools. Two tools are available from Tinfoil Security and SSL Labs.
- Reach out to your external third-parties to ensure that they are aware of this critical issue, and are executing a mitigation strategy.
- Be cognizant of opportunistic phishers who email you to patch your devices. Don’t click on links that look suspicious.
- Mozilla Firefox
Comments
We have completed the necessary changes to disable SSL 3.0 and RC4 ciphers from all web servers. All changes scheduled for Tuesday, April 14, 2015 have been completed. All affected services are fully operational.