The “Poodle” attack on websites and browsers was all over the media a few weeks ago, following in the shadow of Heartbleed.
Here’s what most users need to know… This is an vulnerability that exists in secure internet communication because…
- While most newer systems rely on TLS security, they still support older protocols (SSLv3 in particular for this issue)
- As secure communications generally attempt to find a “common” method, they will often “drop down” to older supported versions (even if they are now often considered insecure!)
- Most browser and server software (unless recently patched) will allow for this “drop down” in security.
- Most software provides a mechanism to disable this by the user or in configuration.
- Upgrading your software will usually remove these “problematic” vulnerabilities.
Simply put… for a consumer, it’s best to upgrade to a newer browser or find the appropriate configuration to disable SSLv3 if you are unable to upgrade. Server administrators generally should update their sofware on a regular basis for security items such as this one!
NOTE: Many CDN’s such as CloudFlare are proactive and block this vulnerability.
Technical details on the Poodle vulnerability (if you’re into that sort of thing!):
Instructions here are for Apache HTTPd 2.2.23 and newer, other servers will require a similar change:
-
sudo vi /etc/apache2/mods-enabled/ssl.conf
-
Change the following line from:
SSLProtocol All -SSLv2
to:
SSLProtocol All -SSLv2 -SSLv3
sudo service apache2 reload
sudo service apache2 restart
Can be tested at the following websites:
REFERENCES: