One of the interesting results of technology’s growth is that security vulnerabilities (such as Heartbleed and Shellshock) are starting to be reported by the mainstream media. These types of industry flaws are dealt with and patched by our security team every week, so it’s something of a guessing game as to which the press will start reporting and thus which our customers (and your customers) will start asking about.

Long story short, we want to assure you that we’re on top of all security issues and have usually patched them before the media is even aware of them. Whether we write a blog post on the topic or not, we want you to know that we’ve done the behind-the-scenes work and your websites, customers, and visitors are safe. If we believe there is a likely risk to self-managed services such as VPS and Dedicated Servers, we’ll inform you accordingly so you can act. That said, the POODLE vulnerability is very minor in comparison to Heartbleed and Shellshock and affects far fewer people, as we’ll explain below.  

---

What is the POODLE vulnerability?

In a nutshell, the SSL 3.0 POODLE vulnerability (CVE-2014-3566) allows a man-in-the-middle attacker to decrypt an https connection and hijack a user’s session with the remote server when SSL version 3 is enabled. If you’re interested in the technical details, you can read more about it here: https://access.redhat.com/articles/1232123

Our actions to date

As when any industry vulnerability is discovered, we acted immediately. In this instance, we chose to disable SSL 3.0 across our estate as this is the only complete method to counter the attack. It’s also the same precaution that the web’s biggest sites, such as eBay, have taken to safeguard their users.

Who does it affect?

SSL 3.0 dates back to 1996, so it’s a dinosaur in terms of web technology, and was superseded by TLS a long time ago. For the vast majority of websites and visitors, disabling it won’t make any difference to their experience. However, a small number of people using unsupported legacy browsers and operating systems – such as IE6 on Windows XP – may be affected by this change. It’s estimated that less than 0.1% of users use IE 6 (source).

---

What you need to do

If you’re a shared hosting customer

If you have a Starter Pro, Home Pro, Business Pro, or Reseller Pro hosting account with us, you don’t need to take any action. We’ve already secured everything to protect you against the POODLE vulnerability.

If you have a VPS, Hybrid Server or Dedicated Server (or you’re a Reseller and a customer has one)

We strongly recommend you consider disabling SSL 3.0 to protect people connecting on any services using https/TLS (if you absolutely must leave SSL 3.0 enabled, please skip to the ‘Other mitigation’ section at the bottom of this post). To do this, complete the following steps for your particular server:

---

How to disable SSL 3.0 on your VPS, Hybrid Server or Dedicated Server

 

For servers running cPanel

1. Login to WHM -> service configuration -> open “Apache Configuration” -> Include Editor.

2. Under “Pre Main Include”, select All Versions.

3. Enter the following into the text box for CentOS 6.x:

              SSLHonorCipherOrder On SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

4. Enter the following into the text box for CentOS 5.x:

             SSLHonorCipherOrder On
             SSLProtocol -All +TLSv1

5. Click Update, then click “Restart Apache”.

More detailed advice on configuring all services in cPanel can be found here: https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

—

For servers running Plesk, and all other Linux servers – Apache httpd

1. Include the following line in your httpd.conf:

              SSLProtocol All -SSLv2 -SSLv3

2. Restart the httpd server.

Additional in-depth advice on configuring Plesk is located here: https://kb.sp.parallels.com/en/123160

—

For Windows servers

1. Click Start, click Run, type regedt32 or type regedit, and then click OK.

2. In Registry Editor, locate the following registry key:

                “HKey_Local_MachineSystemCurrentControlSetControlSecurityProviders SCHANNELProtocolsSSL 3.0Server”

(If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.)

3. On the Edit menu, click Add Value.

4. In the Data Type list, click DWORD.

5. In the Value Name box, type Enabled, and then click OK. (if this value is present, double-click the value to edit its current value).

6. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.

7. Click OK and restart the server.

This workaround will disable SSL 3.0 for all server software installed on a system, including IIS. After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.

Additional information can be found here: https://technet.microsoft.com/library/security/3009008

---

Other mitigation for VPS, Hybrid Server & Dedicated Servers

The following advice is optional, but will help prevent similar attacks in the future.

Updated OpenSSL packages are available for most Linux distributions. If you have automatic updates enabled, you most likely already have them installed.

To double check, look for updated OpenSSL packages that contain support for TLS_FALLBACK_SCSV.  This will stop an attacker from forcing a downgrade from a secure cipher to SSL 3.0.  It is important to note that this will only work if the client’s browser also supports this option and will not protect a browser that only supports SSL 3.0 (such as IE6).

The commands you need to run for the most common Linux operating systems are as follows:

CentOS & Fedora:

yum -y update openssl

Ubuntu and Debian:

apt-get update && apt-get install --only-upgrade openssl

Then restart any services using SSL/TLS, or do a server reboot.

---

If you have any questions regarding anything in this post or would like extra assistance, please raise a ticket directly with our support team and they’ll get right back to you.

(Special thanks to Juno and Melon for their contribution to this post).