Yesterday, Google published a post that exposes a flaw in Web encryption standards. It’s similar to the Heartbleed bug exploited earlier this year but not nearly as serious.
It’s called POODLE (Padding Oracle On Downgraded Legacy Encryption), which exploits yet another vulnerability in one of the Internet’s basic security protocols (SSL more commonly known as https in your browser) that could potentially give an attacker access to your sensitive online account information.
Who it affects
Any secure connection (https) you make via your web browser is at risk. That means visiting banks, PayPal, online shopping sites, etc are all vulnerable.
What’s at risk
The attacker could potentially decrypt and read any of your sensitive data (passwords, etc) for any secure website you’re connected to via https.
Are servers and clients both affected?
Yes, however the vulnerability exists only if both the server and client accept SSL v3.0 (which is the default fallback cipher suite for all web browsers and servers after TLSv1/TLSv1.1/TLS1.2).
How the exploit can happen
Can I test to see if I’m vulnerable?
Yes. Visit this website: https://www.poodletest.com/.
Can I test websites to see if they’re vulnerable?
Yes. Visit this website: http://www.poodlescan.com/
What’s the downside to disabling SSL v3.0?
If you still use IE 6 on Windows XP you will no longer be able to connect via https. Honestly, if you’re still using this setup, you’ve got many other security risks besides this. Upgrade ASAP.
How to fix this
The only correct way to fix POODLE is to disable SSL v3.0 in all your browsers. The problem is, there isn’t an easy way to do this right now. Each browser will be rolling out fixes soon so make sure to upgrade asap. Admins should also disable SSL v3.0 on their servers.
If you use Chrome on a Mac, you can disable SSL v3.0 by launching Chrome via the command line with a special parameter.
Follow these steps:
- Close out all your Chrome browsers
- Launch “Applications” => “Utilities” => Terminal
- Copy and paste the following and hit “return”. It will launch Chrome with SSL v3.0 disabled.
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --ssl-version-min=tls1
To fix it in all other browsers, check out this page for great tutorials.
The good news
We’ve already disabled SSL v3.0 on our servers so your customer data is safe. We also re-keyed our SSL certificates earlier this year to be extra safe against the Heartbleed exploit.
Until web browsers release a fix, I’d steer clear of any public WiFi network and limit (if not completely stop) any https website visits. If you really must, check the website first and make sure SSL v3.0 has been disabled. Most everyone uses a computer on their home network which is pretty secure (assuming you’ve got a complex WiFi password and WPA2 encryption) so in this case, I wouldn’t worry too much.