TLS POODLE Mitigation Option

Discussion created by cschum on Dec 12, 2014

I believe one mitigation to the new POODLE attack on TLS would be to prioritize GCM cipher suites over CBC ones.


See the example below of a potential cipher suite list which should mitigate the TLS vulnerability as long as the TLSv1.2 protocol is also enabled on your server.  With this setup, browsers (with the substantial exception of IE) should negotiate a TLSv1.2 connection using GCM suites.   This should mitigate against this iteration of POODLE as well as future attacks against CBC suites.  Note: this is simply an example and doesn't take required website performance, access requirements (i.e. legacy browser support), etc., into account.


Hope this helps!



Cipher Suites POODLE.png