Yesterday Google announced another security vulnerability that they have nicknamed “Poodle,” short for Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). And unfortunately, this Poodle bites.
Here is the short version of what you need to know and do, to protect yourself.
We all like things to be compatible, don’t we. In today’s tech driven world we want every device to be compatible with every website and every app, every time we use it. Right? Well that is the most convenient way for things to work, but not the safest way for things to work. Poodle is a result of this. In Tech terms it is called making things backwards compatible, so the new technologies still play nice with the old ones. Unfortunately, the old technologies are old for a reason…they have holes, weak spots, don’t take into account all the new ways we interact online.
Where the BASH vulnerability I posted about last week was a “Server” vulnerability, Poodle is an end user vulnerability with your browser software and how it connects to Secure Socket Layers (SSL) for encrypting your sensitive info (think banking online.) Most browsers have the default settings to accept SSL 3.0 (the old technology) if you are trying to access a website that doesn’t use Transport Layer Socket (TLS) (the new techology.) And hackers have found a way to use that to their advantage. (What creativity, they have. Aimed in the wrong direction.)
So while companies are patching their servers, we all need to be adjusting our Browser settings. This may cause temporary inconveniences depending on the various websites you access, but it is better than having your identity stolen.
If you want a slightly more detailed explanation, this is a good one and not too techie.
http://www.forbes.com/sites/jameslyne/2014/10/15/poodle-security-vulnerability-breaks-sslv3-secure-browsing/
How to tell if your Browser is vulnerable
Run the POODLE test using each different browser you have installed on your computer. On my computer I have Internet Explorer, Firefox and Chrome. So, I had to test all three.
- Open your browser and go to: https://www.poodletest.com/
- If you browser is vulnerable, you will see the image of a poodle. (Ya, a bit cutesy for me, but it works.)
- If your browser is not vulnerable you will see the image of a Springfield Terrior. YAY, you are done.
How to Change your Browser Setting
Internet Explorer – You will need to deactivate the option that allows SSL 3.0 connections.
- For older browsers, on the menu at the top click on Tools, then select Internet Options. For newer versions of Internet Explorer, click on the settings graphic in the upper right corner, then select Internet Options.
- Click on the Advanced tab. Scroll down to the Security section and UN-Check the option that says “Use SSL 3.0.” Click Apply.
- Take the POODLE test again. https://www.poodletest.com/
Firefox – Apply the Firefox SSL Version Control add-on.
- Go to: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ and click “Add to Firefox.”
- Click Install
- Once Successful, retest your browser at: https://www.poodletest.com/
Chrome – Google Chrome has already applied changes that disable SSL 3.0.
Safari – You might have to wait for their next update. I only found a couple of resources for you and the one with the fixes is too techie even for me. I have listed them below in case you are brave, more techie than I or have a Apple Angel to help you.
- https://discussions.apple.com/thread/6597955
- http://apple.stackexchange.com/questions/150647/best-way-to-disable-sslv3-in-chrome-for-poodle-vulnerability
- http://www.thesafemac.com/should-you-worry-about-poodle-bites/
Hope this helps and wishing you only cute, fluffy, friendly Poodles!
Sherry, another great update and helpful instructions! Thank you so much. If it weren’t for you, I’d be vulnerable in all the wrong places!
Thanks Linda! The poor Poodles of the world are getting a bad rap with this one. Ha. Ha. Glad you found it helpful!