We tweeted early yesterday evening that a new major vulnerability was about to be disclosed and sure enough, late last night, the full disclosure was released. The latest discovery of a serious vulnerability affecting all internet users (following on from Shellshock and the previous Heartbleed) was initially made by some security researchers from Google who, in these days of wanting to give everything a catchy (and in Google’s case an animal – Panda, Penguin etc) name, must have been jumping for joy when they realised that the acronym gave them exactly that ! By the way, POODLE standards for Padding Oracle On Downgraded Legacy Encryption.
This potentially affects everyone connecting to a secure website using https. SSLv3 is quite an old protocol and most servers / websites / browsers will use a more modern protocol (TLS2.1/TLS1.1/TLS1) which are not affected when encrypting data (ie https) so you might think there would be few problems. When making a secure connection, a browser will use the most secure connection that both it and the server / website support. However, in order to maintain backward compatibility for old systems, connections can negotiate a lower level of secure connection and this is where the problem arises. It is possible for an attacker to force a connection to downgrade a perfectly secure TLS connection to an insecure SSLv3 one.
If you are hosted by us – then YES ! We checked every single server and disabled SSLv3 where it was still enabled, as soon as this was announced. We have taken the opportunity to further enhance SSL security on all our servers and this can checked using the great website from Qualys SSL Labs. All websites on our servers should return either an A or an A+ rating if they have their own SSL certificate installed.
If your browser supports SSLv3 (which currently almost all do – you can test by visiting https://www.poodletest.com) AND you visit a website on a server that still supports SSLv3 AND your attacker is on the same network (usually a public wireless network as this type of connection is very insecure – unless you use a VPN to secure your wireless connection as we wrote about only a few days ago). So you are pretty much safe when connecting to websites from your home or work network but not from public wireless networks.
Internet Explorer 6 on Windows XP is the only browser that is currently still in use that can only use SSLv6 – so this means that visitors to a website where SSLv3 is disabled will not be able to get a secure connection. The global percentage of people still using this combination (and who have got far greater security issues to worry about anyway than this) has dropped dramatically in the past year and we see almost no traffic to websites across our whole network.