POODLE Attacks Browsers????

No we haven’t lost it!

POODLE (Padding Oracle on Downgraded Legacy Encryption) is the latest in a string of issues found with software related to secure access to servers and application widely used on the Internet.

It doesn’t matter if you run Windows, MAC, or Linux, it directly impacts your Internet browser.

When you access websites such as your online bank account, Facebook, or Google you typically access sites using https:// or a feature called SSL  (secure sockets layer). SSL is encryption to protect your information from being intercepted, spied upon or modified by attackers in between you and the website, but a new security defect could break that encryption/security.

This widely used security technique is what prevents someone sat next you in Starbucks from watching your transactions as you access your Internet banking and is

also frequently used when accessing your e-mail account to stop your username and password being stolen by cyber criminals.

Simply put: SSL is a core component of security, privacy and trust on the Internet .

Great though all that sounds unfortunately many sites still fail to adhere to best practice and many don’t implement these security features at all leaving information open to interception. Even those which do try to do the right thing can have significant setbacks due to implementation failures or security vulnerabilities. That is precisely what has happened with the new, oddly but cutely named, POODLE vulnerability discovered by Google.

I can hear you now, “But Paul, don’t we need SSL?”

SSL has a number of different versions and which your website provider supports is important from a security standpoint.  The POODLE vulnerability impacts version 3 SSL (older version) and under the right conditions would allow an attacker to gain access to information that would let them take over your account. For example, the flaw may enable an attacker to gain access to credentials so they can hijack the identify of another user.

For the attack to work the attacker must be on the same network (or in the path of your communications) and your client must be running Javascript (such as in a web browser) which makes the attack less all out serious than vulnerabilities like Heartbleed . This attack is effective against clients, as opposed to servers like with Heartbleed, and so is of the greatest concern to users browsing on wireless hotspots like in coffee shops, book stores, and other community wireless locations.

 

What’s the impact to you?

As a website owner, you do NOT need to revoke and regenerate server certificates, as with Heartbleed.  If you are running a secure website, the vulnerability puts your visitor’s username and passwords at risk when they are actively logging into your site and while downloading/uploading data.  We are actively investigating all our servers and websites that use SSL, and will contact you if any changes are needed.

Protect Yourself

There are fixes that can be made to your Internet browsers to eliminate your risk.  Detailed directions below can be found at https://www.digicert.com/ssl-support/disabling-browser-support-ssl-v3.htm with pictures.

Firefox browser

Firefox from version 34 onwards will disable SSLv3 by default and thus require no action. However, at the moment 33 is just released, and 34 is set for November 25.

1. Open a new browser and type about:config in the website bar and hit enter or click the arrow at the end
2. Agree to the statement.
3. in the new search box type security.tls.version.min and set the value to 1.
4. Close your browser and re-open it.

Microsoft Internet Explorer

1. Click the Tools icon in the top right corner (the icon looks like a gear).
2. Scroll down and click Internet Options.
3. Select the Advanced tab, then scroll through the list of settings until you reach the Security category, uncheck Use SSL 3.0, and click Apply
4. Then click OK.

Check to make sure your fixes worked!  Go to https://poodletest.com and follow the directions.

As always we are here to help.  Give us a shout, at 717-831-8324 or help@seamrogtech.com.

PS.  Share this with your friends, family, and colleagues so they can protect themselves.