Announced in October, 2014, and given the innocuous name POODLE, the SSL v3 vulnerability is anything but cute. However, a few simple steps can keep you safe.
POODLE (Padding Oracle On Downgraded Legacy Encryption) is the name given to a method hackers may use to attempt to break through the security of a secure (HTTPS) connection between you and a web server. To prevent this and maintain security, you need to tell your browser that it can no longer use SSL when connecting to a secure server, and server administrators need to disable SSL on their servers. Unfortunately, this may break secure browsing for users of older browsers or for those whose browsers are not configured to use the newer protocols.
In short, since SSLv2 and SSLv3 (the final versions of SSL) are obsolete and insecure, if your browser is not able or not configured to use TLS, you may not be able to browse websites, or at least not those that take security seriously. To test your browser to see if you are at risk for the POODLE vulnerability, visit Qualys SSL Labs POODLE test site. We have also put together a few quick steps to verify or update the settings in your browser (see Related Instructions section). Once you are configured correctly, your browsing is protected from POODLE. If you'd like to know more about what POODLE is, read on.
Now for those who want the long explanation...
When you access secure web pages on the Internet, whether you use Google Chrome, Internet Explorer, Firefox or another choice, your browser reaches an agreement with the web server on how it will communicate securely. Most web servers offer several protocol choices for this communication. SSL (Secure Sockets Layer) version 2 was the original method used for this security. As security needs grew, and as new technologies were developed, SSL was revised as version 3, and later succeeded by the newer protocol TLS (Transport Layer Security), which is now available in versions 1.0, 1.1 and 1.2.
Over time, weaknesses are found in older protocols, and technology advances allow breaking protocols that used to be secure. When deciding on what security protocol to use, your browser will generally try to choose the newest, strongest protocol. However, sometimes for compatibility reasons, your browser may choose to fall back to an older technology if it is available. SSLv3, the final version of SSL, while known to be obsolete and insecure, has still been offered with the expectation that TLS, the more secure protocol, will almost always be used.
That brings us to POODLE. Using methods discovered by researchers at Google, an attacker could disrupt your browser's attempt to start its conversation with a secure server using TLS so that it will fall back to the older SSL protocol. When this happens, they can then use known weaknesses in SSL to intercept the information.
This kind of attack requires some technical skill, and would most likely occur where intercepting communcation is easiest, such as a Wi-Fi network in a public place. However, since the SSL protocols are known to be weak and vulnerable, and since TLS has been available since 1999, disabling SSL will not only prevent POODLE attacks, but will ensure safer secure browsing overall.
Additional Reading:
