There is a new advisory that some implementations are suspectible to poodle attack with TLS downgrade to SSL:-
https://www.us-cert.gov/ncas/alerts/TA14-290A
If you have created load balancers created after 10/14/2014 5:00 PM PDT disable SSLv3 protocol by default (they will not allow TLS to fall back to SSLv3, and are therefore not vulnerable to POODLE). For load balancers created before this date, you can manually change the protocols in use: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/configure-ssl-ciphers.html
You'll just need to make sure your load balancer only supports TLS protocols. The easiest way to do this is to use the predefined policy "ELBSecurityPolicy-2014-10".
https://www.us-cert.gov/ncas/alerts/TA14-290A
If you have created load balancers created after 10/14/2014 5:00 PM PDT disable SSLv3 protocol by default (they will not allow TLS to fall back to SSLv3, and are therefore not vulnerable to POODLE). For load balancers created before this date, you can manually change the protocols in use: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/configure-ssl-ciphers.html
You'll just need to make sure your load balancer only supports TLS protocols. The easiest way to do this is to use the predefined policy "ELBSecurityPolicy-2014-10".
No comments:
Post a Comment