POODLE SSL Vulnerability: Protect Yourself
on
On October 14, 2014 Google announced that SSLv3 (Secure Socket Layer, version 3) was vulnerable to an attack which has been given the cute name POODLE (Padding Oracle On Downgraded Legacy Encryption).
OpenConcept has previously recommended the removal of support for SSLv3 in our Drupal Security Guide. Fallback to SSLv3 has been disabled on OpenConcept's servers. All HTTP servers providing encrypted service (HTTPS) should be forced to drop SSLv3 and support only TLS (Transport Layer Security). See the guide for instructions on how to do this.
It is important to note that everyone who uses SSL should take action in their own browser configuration to avoid the exploit as well. Otherwise your browser may fallback to SSLv3 without your knowledge, leaving your communications vulnerable to interception by a third party (spying).
What can you do?
This page has a warning near the top if your browser may be vulnerable to the fallback. It also has instructions for the major browser on how to disable the fallback.
Qualys SSL Test can be used to check if a server has vulnerability to this or other exploits.
Also, stop using Internet Explorer 6. No, seriously. Not only is it past its End-Of-Life and no longer receiving updates, but IE6 on Windows XP has no TLS support, and can only use SSL via insecure methods. As of today, there is no way for IE6 to provide secure connections.
Add new comment