By Qualtrax on November 14, 2014
At Qualtrax, we like to make sure our customers are as secure as possible. For that reason, we want to pass along what our Support Team has learned about the recent vulnerability that affects SSL, called Poodlebleed.
As you may already be aware, this security vulnerability was discovered in the implementation of SSL version 3.0. This vulnerability allows a malicious user to read in plain text data that should be encrypted between the user’s Internet browser and the Qualtrax server. For a more detailed explanation of the vulnerability please see Poodlebleed Bug.
What this means for you is that any Qualtrax server that is running in SSL mode is vulnerable to this attack. It is recommended that the issue be patched on both the Qualtrax server and on the client machine running the Internet browser. If you are a cloud customer then the Qualtrax server has already been patched and only the client’s browser needs to be fixed.
In order to patch the server a registry edit needs to be applied to disable the use of SSL version 3.0 on the server. Please see the following documentation and follow the section on how to disable SSL for Windows servers. https://technet.microsoft.com/en-us/library/security/3009008.aspx
*Note: Once SSL version 3.0 has been disabled the already unsupported browsers of Internet Explorer 8 and below will no longer be able to be used with Qualtrax.
You will only need to ensure that TLS is enabled in the browser and SSL is disabled. If you are using Google Chrome please ensure you are on the latest release as this has already been patched.
For Internet Explorer go to your Control Panel and open Internet Options. On the Advanced tab scroll down to the Security section. Ensure that TLS 1.0, 1.1 and 1.2 are checked. Ensure that SSL 2.0 and SSL 3.0 are unchecked. Please match the marked section in the image below.
For Firefox, you need to open the browser and type about:config in the address bar. You should see a list of different settings and their values. Find security.tls.version.min and ensure that it is set to 1. Ensure your Firefox setting matches the highlighted line below.
As always, we want you to be as safe as possible from attacks and vulnerabilities. We hope that these types of blog posts are few and far between.