3

I have been trying to mitigate POODLE on client side in my organization. I disabled SSL3 in most browsers but couldn't disable it in Safari. Apple released a Security Update 2014-005, which, according to apple, addresses POODLE.

However, Safari is still vulnerable to POODLE according to various SSL testing sites.

I just want to disable SSL3 in Mac (Safari). Is there a way?

Anders
  • 64,406
  • 24
  • 178
  • 215
user61520
  • 41
  • 2

1 Answers1

1

The security update for Apple does not disable SSLv3, but it disables "cipher block chaining", which is at the heart of the POODLE exploit, explained by CISCO:

"The vulnerability is due to improper block cipher padding implemented in TLSv1 when using Cipher Block Chaining (CBC) mode. An attacker could exploit the vulnerability to perform an "oracle padding" side channel attack on the cryptographic message. "

So the POODLE testers are looking for SSLv3, which is one way to mitigate POODLE, but disabling CBC mode is also a great way to protect yourself.

To answer the heart of your question, no, you do not have control over the cipher suites used in Safari. But the APPLE-SA did fix the POODLE vulnerability.

Ohnana
  • 4,737
  • 2
  • 23
  • 39
  • The correct [Cisco information page](http://tools.cisco.com/security/center/viewAlert.x?alertId=36084), as the question is about SSL v3.0, not TLS v1. – taltman Jun 15 '15 at 20:46
  • What is your basis for saying that Apple has fixed the vulnerability? Testing Safari version 8.0.6 on the [Qualys test page](https://dev.ssllabs.com/ssltest/viewMyClient.html), it shows plenty of support for SSL v3.0 and TLS v1.0, and TLS CBC modes in its cipher suites. – taltman Jun 15 '15 at 21:25