General
      Tillbaka till startsidan
      1. Kunskapdatabas
      2. Change
      3. General

      Security: TOPdesk and SSLv3.0 or "POODLE" vulnerability

      October 14 2014 Google published about a vulnerability in the design of SSL version 3.0, which made it possible to intercept communication between TOPdesk and a user. SSL version 3.0 is one of the protocols available to secure connections between webservers like TOPdesk and the browser of a user.

      October 14 2014 Google published about a vulnerability in the design of SSL version 3.0, which made it possible to intercept communication between TOPdesk and a user. SSL version 3.0 is one of the protocols available to secure connections between webservers like TOPdesk and the browser of a user. Under normal circumstances and with the use of recent versions of web browsers, the connection to TOPdesk SaaS will be secured with more recent and safe protocols. We recommend that our TOPdesk customers ensure that they use recent and updated web browsers to secure the communication with TOPdesk and other web services. For on premises installation of TOPdesk we recommend disabling SSL v3 if TOPdesk is configured to use SSL, this is only possible on recent TOPdesk versions (5.3 and higher). For TOPdesk SaaS a change is implemented at the end of week 43 2014 to disable this protocol. Effects on TOPdesk SaaS: After careful consideration TOPdesk concluded that it was necessary to disable the option to use SSL v3, in order to ensure that our services will remain secure. Even if modern browsers are used, an attacker can force the browser to use the old protocol, which we find unacceptable. In the week 43 2014 users with extremely old browser versions like Internet Explorer 6 could have noticed that logging in to TOPdesk is not possible anymore, as these versions do not support the more secure and modern alternatives such as TLS. Statistics on our servers indicate that less than 6% of our users were using a browser which is too old to handle the more secure alternatives. We recommend that these customers upgrade their browsers to ensure that all internet services can be accessed in a safe way. No action is required by our customers if modern browsers are used. You will not notice any difference in using TOPdesk. Effects for in-house hosted TOPdesk software: If a reverse proxy is used to secure connections between TOPdesk and end users, we kindly refer to documentation of the system used to disable the use of this protocol for TOPdesk and other served websites. If the webserver of TOPdesk is configured to use SSL for all connections, the following configuration is recommended. For recent versions of TOPdesk 5 (Only 5.3 or higher): * Stop the TOPdesk application server to be able to change the configuration files * In the TOPdesk installation folder, open the file \etc\AppServer-ssl.xml * Add the following parameters to exclude SSL v3 from the usable protocols.                          SSLv3     * Restart your TOPdesk application server Please refer to the attached configuration files for examples on how to edit your configuration files. Do not copy these example files into your installation, as they might overwrite other configurations made in your installation. 3rd party tools: Please be aware that the changes regarding the SSL connectivity will also affect other tools, that send or retrieve infromation from TOPdesk by means of HTTP-requests. Please test to make sure that those tools are able to support TLS. Background information: For a detailed description of the problem we kindly refer to the publication by Google: http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html