On the tail-end of the Heartbleed bug that was exposed earlier this year comes a new vulnerability in web encryption standards: POODLE.
What is POODLE?
POODLE stands for Padding Oracle On Downgraded Legacy Encryption, and it can affect any secure https connections made through your web browser. The danger of this particular flaw is that sensitive data (e.g., logins, passwords, card numbers, etc.) can potentially be decrypted and accessed on any secure website that uses an https connection. Both clients and servers are affected by this vulnerability, but this only occurs if both accept SSL v3.0.
A home wireless network with a secure password and WPA2 encryption is not likely to be affected, since the attacker must be on the same network. However, WiFi networks that are open to the public (e.g., libraries, universities, coffee shops, etc.) can be vulnerable through a man-in-the-middle attack.
What can be done about POODLE?
The good news is that there are a few quick tests out there to see if you or the site you are visiting is vulnerable.
- You can test to see if the browser you are using is vulnerable by going to www.poodletest.com. When you go to the site, it will check to see if your browser supports SSL v3.0. If it does, then the site will show you an image of a poodle, indicating that it may be vulnerable. If your browser doesn’t support SSL v3.0, then the site will show you a Springfield Terrier, indicating that it is not vulnerable. Keep in mind that your browser is only truly vulnerable if the site that you are visiting is also vulnerable.
- You can test sites themselves by going to www.poodlescan.com. There you can type in the URL of the site you would like to test, and it will indicate if it is vulnerable or not. At the time of this article, large social networks such as Facebook and Twitter were not vulnerable. However, other large sites such as Google, YouTube, and Amazon appear to have vulnerability.
In order to fix this vulnerability for yourself, you will need to disable SSL v3.0 in your browser(s). It is also recommended that admins disable SSL v3.0 on their servers as well. The downside to disabling SSL v3.0 is still being vulnerable without it. Fixing this vulnerability will also break Internet Explorer 6 if that’s the browser you use. Keep in mind, though, that IE 6 is a very outdated browser with multiple other security risks in addition to this, and it is recommended that you upgrade it immediately.
All major browsers should be releasing fixes for this vulnerability soon, so we recommend upgrading as soon as those are available. Until the upgrades are released, we recommend that you avoid using public WiFi networks (especially large networks with many users) and try to avoid visiting any https sites. If you need to visit an https site, we recommend that you check the site first using the above methods.