Yesterday, Google published a post that exposes a flaw in Web encryption standards. It’s similar to the Heartbleed bug exploited earlier this year but not nearly as serious.
It’s called POODLE (Padding Oracle On Downgraded Legacy Encryption), which exploits yet another vulnerability in one of the Internet’s basic security protocols (SSL more commonly known as https in your browser) that could potentially give an attacker access to your sensitive online account information.
Who it affects
Any secure connection (https) you make via your web browser is at risk. That means visiting banks, PayPal, online shopping sites, etc are all vulnerable.
What’s at risk
The attacker could potentially decrypt and read any of your sensitive data (passwords, etc) for any secure website you’re connected to via https.
Are servers and clients both affected?
Yes, however the vulnerability exists only if both the server and client accept SSL v3.0 (which is the fallback cipher suite after TLSv1/TLSv1.1/TLS1.2 due to a downgrade attack).
How the exploit can happen
The attacker must be on the same wireless network (man-in-the-middle) and your computer must be running Javascript (a web browser). You’re pretty much safe at home but not public WiFis like Starbucks.
Can I test to see if I’m vulnerable?
Yes. Visit this website: https://www.poodletest.com/.
Can I test websites to see if they’re vulnerable?
Yes. Visit this website: http://www.poodlescan.com/
What’s the downside to disabling SSL v3.0?
Besides the obvious case of being vulnerable, not much. If you still use IE 6 on Windows XP you will no longer be able to connect via https. Honestly, if you’re still using IE 6 on Windows XP, you’ve got many other security risks besides this. Upgrade ASAP.
How to fix this
The only correct way to fix POODLE is to disable SSL v3.0 in all your browsers. The problem is, there isn’t an easy way to do this right now. Each browser will be rolling out fixes soon so make sure to upgrade asap. Admins should also disable SSL v3.0 on their servers.
If you use Chrome on a Mac, you can disable SSL v3.0 by launching Chrome via the command line with a special parameter.
Follow these steps:
Close out all your Chrome browsers
Launch “Applications” => “Utilities” => Terminal
Copy and paste the following and hit “return”. It will launch Chrome with SSL v3.0 disabled.
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome –args –ssl-version-min=tls1
The good news
We’ve already disabled SSL v3.0 on our servers so your customer data is safe. We also re-keyed our SSL certificates earlier this year to be extra safe against the Heartbleed exploit.
Recommendations
Until web browsers release a fix, I’d steer clear of any public WiFi network and limit (if not completely stop) any https website visits. If you really must, check the website first and make sure it’s been patched. Most everyone uses a computer on their home network which is pretty secure (assuming you’ve got a complex WiFi password and WPA2 encryption) so I wouldn’t worry too much.
