1
POODLE SSLv3 vulnerability and SmarterMail
Question asked by Mr Unique - 10/15/2014 at 10:31 PM
Unanswered
What should SmarterMail administrators be doing in response to the POODLE SSLv3 vulnerability?
 
 

6 Replies

Reply to Thread
1
Bruce Barnes Replied
POODLE SSLv3 is not a software related issue, but an issue with the security capabilities of the operating system.
 
The POODLE SSLv3 issue is present in ALL WINDOWS 2003 SERVER, WINDOWS 2008 SERVER, and WINDOWS 2012 SERVER installations, whether 32 or 64 bit.
 
To remove all issues both SSL v2.0 and SSL v3.0 need to be disabled. 
 
SSL v2.0 was discovered to be an issue pre-2010, and should have been disabled at that time.
 
The discovery of POODLE SSL v3 marks the end of SSL v3.0 - permanently.
 
 
Since TLS 1.0 is the only other protocol supported under Server 2003, this downgrades the SSL capabilities of Server 2003 and makes the retirement of the product that much more important.
 
NOTE THAT THIS WILL LIMIT THE CAPABILITY OF WINDOWS XP MACHINES, TO CONNECT VIA SSL!
 
 
 
 
These can be changed via some registry hacks, but this must be done with extreme care.  Here's a link to a Microsoft article on how to do so:  http://support.microsoft.com/kb/187498
 
Remember to BACKUP the registry prior to making any changes.
 
Remember you must reboot the server to have the registry changes take effect.
 
Once you have completed your changes, you can check your SSL at: https://www.ssllabs.com/ssltest/index.html
 
Note that Windows Server 2003 will never receive a grade higher than a "B" from the Quality SSL Labs testing service.
 
Scrolling to the very bottom of the Quality SSL Labs report will tell you if you are vulnerable for BEAST or POODLE attacks:
 
 
Note that, with the latest vulnerability issues, Server 2003 does not allow very secure connections any longer and, given Microsoft's 13 July, 2015 EOL date, it would probably be a good time to consider upgrading to Server 2008 or, even better, Server 2012.
 
 
When testing your SmarterMail server, remember to use the URL of the web interface as the test target, IE: mail.yourdomain.com
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Mr Unique Replied
This is the utility we've been using to disable SSLv2:
 
https://www.nartac.com/Products/IISCrypto/
 
According to ssllabs test results, it does the trick for SSLv3 as well.
 
The question is, with no viable SSL support left (there is no v4), should SmarterMail admins be editing all SSL related SMTP/POP3/IMAP support and replacing/using just  TLS?
 
0
Bruce Barnes Replied
No, because although not shown in the grspg in my initial response, there are other SSL/TLS protocals which will also be disabled by doing that, and support for many devices will be disabled. Even though there is no 'direct" SSL support, there is still security provided under the SmarterMail protocols.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
FYI: SSL v4 is in developement.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
John Marx Replied
When I saw the information I immediately went to SSL Labs (https://www.ssllabs.com/). I ran there free checker of our SSL's on every server. We did have SSL 3 installed. We turned that off and as Bruce stated you will get several "fails". The fails are for older browsers which we all need to stop support due to obvious security concerns. 
 
Once you have the SSL disabled (this will require a system reboot) re-run the test until you are a minimum of an A- rating; preferably higher. Then test in all the current browsers, update any knowledge base articles and inform your users that they should update there browsers if they haven't already done so.
 
Security starts with us and it flows to the users of the systems we maintain. This will not only help us all out in the long run but make all of our systems more secure to boot. :) 
 
2
Bruce Barnes Replied
Just so everyone knows: The highest rating which will be given to any Windows Server 2003 install is a "B".
 
There are a couple of additional security protocols which can be enabled, to help support the Windows phone operating system, but, with these recent developments, it's time to completely depreciate Server 2003, and upgrade everything to Server 2012.
 
I will post some registry hacks in a KB later today, and link the article to this post., for those who are desperate to continue to use Server 2003, and provide maximum security coverages, but I hear distinct wheezing and coughing coming from what was once a golden leap forward in Microsoft servers products.
 
Time for many of us to go dig some cash up from the coffee can we burred in the back yard . . .
 
Here's a link to a KB with all of the Server 2003 Registry hacks to maximize SSL/TLS security on Windows 2003 Server.
 
USE WITH EXTREME CAUTION AND BACKUP YOUR REGISTRY BEFORE MAKING ANY CHANGES!
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread