Blog

What is the POODLE vulnerability - back to basics


Tags :


As we fight to fix the POODLE vulnerability in all systems, we should know what it is. POODLE stands for Padding Oracle on Downgraded Legacy Encryption . In simpler terms it exploits an older form of encryption your browser may use to communicate with servers.

As long as both the server and the client (web browser) support SSL 3.0, the attacker can force a downgrade in the protocol, so even if your browser tries to use TLS, it ends up being forced to use SSL instead. The only answer is for either side or both sides to remove support for SSL, removing the possibility of being downgraded.

So if an attacker can force your browser down to the older SSL 3.0 then they could cause some problems.  While vendors are hurriedly trying to patch their software, pretty much everyone was still supporting SSL 3.0 on their servers and of course your browsers do too. The only true solution is for both the web servers and the browsers to remove support for SSL 3.0 and force everything to TLS (transport layer security).

You can temporarily disable SSL 3.0 (and prior) in your own browsers for the time being.  Just be warned that if a site you frequentdoe not for some reason support TLS then you cannot get a secure connection once you do this.  Firefox will be making an update in late November under version 34 that removes SSL 3.0.  For now you can manually add a SSL Version Control extension to assist.

Google Chrome can be adjusted by simply changing your shortcut to force TLS as the minimal SSL connectivity.  They will have a Chrome update soon that will address it for the end users.

Lastly Internet Explorer (IE) has a manual way fix you can do today. I could not find a date yet on when they will update to fix the problem but in your Advanced tab and the Security section you can simply click to disable older SSL and make sure TLS is enabled for connections.