Tuesday, October 14, 2014

How to Disable SSLv3 on AWS Elastic Load Balancers

In a blog post today, Google announced that a vulnerability in SSLv3 had been found that could allow attackers to intercept data that had previously been assumed to be secured. Luckily, a very small portion of the web (IE6 users on Windows XP) still use SSLv3, so it can safely, for the most part, be disabled to mitigate the risk from this issue.

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

UPDATE 10/15: As Andrew and Julio point out in the comments below, AWS has since updated their default cipher security policies. Replace steps 5 and 6.

To modify the ciphers on AWS ELBs, follow the following steps:

1) Log into the AWS console and click on "Load Balancers."
2) Find the load balancer that handles your site's traffic (you shouldn't need to worry about internal VPC LBs, etc.)
3) Click the "Listeners" tab
4) Find the HTTPS/443 listener and click "Edit" under the cipher column
5) Change the option to "Custom"
6) Uncheck the SSLv3 option
5) Change the policy to "ELBSecurityPolicy-2014-10" which disables SSLv3 for you.
6) Save.

This should be sufficient to mitigate this risk with the information that is currently known.

4 comments:

  1. Actually, the Predefined Security Policy ELBSecurityPolicy-2014-10 does this for you. It might have come online since you wrote this blog post, but the latest security policy removes support for SSLv3.

    ReplyDelete
    Replies
    1. Thanks, Andrew, I did this yesterday afternoon and didn't see it, but I'll definitely update the post.

      Delete
  2. You can also use Amazon's new Predefined Security Policy called "ELBSecurityPolicy-2014-10", which is basically ELBSecurityPolicy-2014-01 without SSLv3 :-)

    ReplyDelete
    Replies
    1. Thanks, Julio! I've updated the post with the new info, since Amazon hadn't made this change when I first wrote this post.

      Delete