Are you vulnerable to POODLE? What you need to know.

Poodle vulnerability in SSL 3.0
des's picture

What is Poodle and how does it affect me?

The POODLE exploit (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability recently identified within the secure encryption protocol SSLv3 a browser connection commonly used for HTTPS communications. The most common types of data that are sent over HTTPS connections include sensitive information, such as login credentials for websites, payment information, email or for any other reason a encrypted connection is required. 

When exploited, this vulnerability allows the decryption of secure connections to plain text, which is readable by others. This is done through a man-in-the-middle attack a form of eavesdropping, which involves the attacker making independent connections with two users who are communicating with each other. The entire conversation is then controlled by the attacker who is relaying information between the two and has the ability to inject data if they so desire.

In other words, when your website is exploited by the POODLE vulnerability, it allows any secure communications between your web browser and the web server to be captured and read by others.

How does it work?

If a request by a web browser fails to connect over HTTPS via a more recent SSL version such as TLS v1.0-1.2, the browser might then connect via SSL 3.0. This is the protocol in which the vulnerability lies and where the exploit is performed.

Goodbye SSL 3.0

The cloud and cPanel servers used by Bluegroper Web Development all support the latest transport layer TL v1.2 and the SSL 3.0 layer has been removed as of 29th October 2014 when the vulnerability became widely known. You can be assured that purchasing cloud and cPanel web hosting from Bluegroper Web Development through our partner gateway is totally secure. And your website hosted at Bluegroper Web Development  using the SSL (HTTPS) protocol is also secure.

This won't affect SSL connections in general unless you are using an old browser,  so if you are using a browser that doesn't support the transport layers TL v1.0-1.2,  I suggest you get one that does. You should immediately check your browser version and if it uses SSL 3.0 remove the transport layer immediately. This vulnerability will break some websites that rely totally on SSL 3.0 and by disconnecting SSL 3.0 and not being able to connect securely to these websites is a small price to pay for internet security and piece of mind.

So how do I disconnect SSL 3.0 in my browser? 

As of December 2014, the latest versions of all major web browsers support  the latest transport layer TLS 1.2 and have them enabled by default. However, there are still problems on several browser versions which are not the latest, but are still supported:

  • TLS 1.1 and 1.2 supported, but disabled by default: Internet Explorer (8–10 for Windows 7 / Server 2008 R2, 10 for Windows 8 / Server 2012, IE Mobile 10 for Windows Phone 8)
  • TLS 1.1 and 1.2 not supported: Internet Explorer (6-8 for Windows Server 2003, 7–9 for Windows Vista / Server 2008), Safari 6 for Mac OS X 10.8

Disabling SSL 3 in Internet Explorer

  1. In Internet Explorer press the Alt key and select tools.
  2. Select Internet Options.
  3. Select the advanced tab.
  4. Scroll down to security and uncheck SSL 3.0 and also SSL 2.0 if its enabled, leave TL 1.0-1.2 checked as in the diagram below.
Internet explorer advanced options

In order to avoid the possibility of being effected when browsing the internet on websites that are hosted externally to Bluegroper Web Development, are still vulnerable, we strongly recommend that our customers update their web browser of choice to the latest version available, as these will support TLS 1.2.


Add new comment