UAB IT is aware of a critical vulnerability — called “POODLE” — on Web browsers and is taking steps to ensure that all enterprise systems and applications have been protected from this vulnerability.

Security researchers have identified POODLE — “Padding Oracle on Downgrade Legacy Encryption” — in an old but still commonly used version of SSL, the technology used to encrypt HTTP and other web traffic. Any server that supports SSL version 3 (SSLv3) can be exploited so that an attacker can decrypt secure sessions, potentially revealing passwords and other private information.

Web browsers will be updating their technology over the next few weeks to automatically disable SSLv3 on the client (browser) side, eliminating the POODLE vulnerability. If you utilize an older computer, please ensure that you have updated modern web browser such as Firefox 33, Chrome 38, Safari 7, Internet Explorer 10 or 11. There are platform-specific settings available for most browsers to disable SSLv3 at runtime for those who do not want to wait. Most users can simply ensure they get automatic browser updates and wait for the official update.

The safest and simplest solution is to disable SSLv3 support on all software, and instead use more recent versions of SSL: TLS version 1, 1.1, or 1.2. (Confusingly, more recent versions of SSL use the name TLS, for Transport Layer Security, rather than SSL, and the numbering scheme was reset to 1. So SSLv3 is older than TLSv1. TLS version 1.2 is the most recent version of SSL/TLS.)

Server administrators should take immediate action to disable SSLv3. Simply enabling other versions and leaving SSLv3 enabled is insufficient, as protocol downgrade attacks are possible. Disabling SSLv3 on a server may create compatibility problems for ancient client software — most notably, Internet Explorer 6 will be blocked from using SSL. Protocol configuration is platform-specific, so please refer to your official documentation for instructions. Some unofficial guides and methods of checking your server are available in in the references below.

Web clients other than browsers, such as web services, may need reconfiguration to communicate over TLS. Administrators and developers responsible for non-browser clients should check their official documentation. 

UAB IT has contracted with InCommon to provide Comodo SSL server certificates for the uab.edu domain. 

Any UAB department using a certificate ending in uab.edu can use the service at no cost. UAB IT pays a yearly fee that covers all certificates.

For regular SSL server certificates, the server administrator can order them here.

For wildcard certificates and multiple domain name certificates, the server administrator should send a request to AskIT with all of the details and a valid CSR (Certificate Signing Request), and the request will be routed through Data Security and the Unix team.