Big Bytes

Vulnerability in SSL 3.0 – Leashing of Poodle

It seems that SSL just cannot stay out of the news. Another vulnerability, this time in SSL 3.0, has been disclosed at the Google Online Security Blog. While SSL 3.0 has already been around for almost 15 years, it’s still being used throughout the Web, and nearly every browser supports it.

The key point though, is that even though newer and more secure versions of SSL are out and are being used, browsers work with older protocols when connections fail. This means an attacker can cause connection problems with the intent of triggering a deprecated version of SSL, leading to the exploitation of the service, and allowing for once-encrypted information to be seen in plain-text. The newly disclosed vulnerability in SSL 3.0 does exactly this dubbed POODLE as an acronym for Padding Oracle On Downgraded Legacy Encryption.

If you’re in the less than one percent of users relying on outdated browsers, simply download a newer client such as Mozilla Firefox. These leverage a more secure protocol than SSL known as TLS and have the added benefit of updating automatically which can help you remain secure in the future!

If you are using the latest version of Firefox, they will be disabling SSL v3 in their November 25th Firefox update by default, but you don’t have to wait for that update. Mozilla has created a plugin that will allow you to set the minimum SSL version that Firefox will accept, to turn off SSLv3 support in Internet Explorer 11: Setting -> Internet Options -> Advanced Tab -> Uncheck “SSLv3″ under “Security”.

We have started disabling SSLv3 across all our offerings, thus protecting all our services against this vulnerability. In case you have questions or concerns feel free to reach out to our support team anytime.

Also note that, in firefox and chrome – the users will have to do the below to disable SSLv3 (this is to ensure an attacker doesn’t use browser sessions to attack others)

Chrome users that just want to get rid of SSLv3 can use the command line flag –ssl-version-min=tls1 to do so. (We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)

In Firefox you can go into about:config and set security.tls.version.min to 1. I expect that other browser vendors will publish similar instructions over the coming days.

Leave a Reply

You may also like:

Education Law / Legal Lifestyle Linux People Software Technology World

How to stay safe from Email Server Compromises & Data Scams?

Avoid using tools like mobile apps or fancy desktop apps for email send / receive and other critical transactions.

Read More
Media / PR Technology

Web and mobile services for print, online media, news agencies

While creating a dynamic web portal, mobile or desktop applications for broadcast, print and online media, editorial systems, adverts management, page planning, circulation, mobile, social media sync etc you hire an agency that fully understand the technologies and even have its own media channels. We offer custom services based on open source, there are no […]

Read More
Lifestyle Linux People Retail Software Startup Technology

Mobile is Driving Holiday Shopping

Mobile also offers an impressive selection of antiques shops and galleries with a wide variety of collectibles, vintage finds and funky pieces. Some features locally-owned specialty shops featuring high-end clothing, jewelry, furniture and home accessories – you can definitely shop till you drop in Mobile

Read More