Researchers at Google discovered a flaw in Secure Sockets Layer v3 (SSL v3), nicknamed POODLE, rendering the 15-year-old encryption protocol for browsers and websites open to possible security vulnerabilities. Does this have any impact on Paragon or RETS?
What is the impact for Paragon users?
In limited instances users who are still utilizing older PCs and browser versions may be impacted and need to enable TLS, and disable SSL v3 in configuration settings in their browser of choice to accommodate these server changes if they are experiencing trouble logging into Paragon MLS. (See pg2 for details on how to change settings.) Please understand that this is an internet wide risk, and is not specific to Black Knight MLS, nor the real estate industry.
Overview
Secure Sockets Layer (SSL) provides private communication channels for data transmission and encrypts it with a special code. The encryption used for the information being transferred is similar to that of an envelope being sent through the mail. The envelope protects what's inside, and prevents the contents on the inside of the envelope from being seen until it reaches the intended receiver and or destination.
The majority of modern web browsers, Chrome, Firefox, Safari, and Internet Explorer 9+, make use of a newer technology called Transport Layer Security (TLS). The vendors that create these browsers wanted to make the use of secure communications easy on the end user, and unfortunately, allow the browser to revert to the older, less secure protocol, SSL v3. Legacy browsers are especially at risk, most notably Internet Explorer 6, which only supports SSL v3 and none of the encryption protocols that followed.
In addition, Black Knight MLS will be phasing out the use of SHA-1, in favor of SHA-256. Version one of the Secure Hash Algorithm (SHA-1) is similar to SSL v3, in that is out dated, and increasingly insecure. The algorithm is used when creating and validating SSL certificates that protect websites. The newer version, SHA-256, is widely accepted, and implemented in every modern browser.
To address the security concerns around Poodle, we are disabling Secure Socket Layer (SSL v3) and requiring Transport Layer Service (TLS) on our pre-release environment effective November 18, 2014, and BKFS will disable SSLv3 in our production environments effective December 2, 2014. These changes will be made during the downtime maintenance window scheduled for these dates.
Supplementary Information regarding POODLE
The following provides additional detailed information regarding POODLE, SHA-1/256, and browser settings The following page from ZMap describes how to disable SSL v3 for all popular browsers. Please note that some of the information is technically detailed in nature and may not be easily consumed by standard users. We are providing this information as a courtesy and if you need additional assistance with these settings please contact your SSM.
Detailed information on changing SSL v3 to TSL for popular browsers
https://zmap.io/sslv3/browsers.html Note - Firefox will automatically disable SSLv3 in their release of version 34 to be released on November 2014: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ eWeek Article: http://www.eweek.com/security/poodle-flaw-found-in-legacy-ssl-3.0-encryption.html Test Your Browser: https://www.ssllabs.com/ssltest/viewMyClient.html
Supplementary Information about SHA-1 / SHA-256
Why Google is ...
Comments