What is POODLE? It stands for “Padding Oracle On Downgraded Legacy Encryption.”
If an attacker using a Man-In-The-Middle attack can take control of a router at a public hotspot, they can force your browser to downgrade to SSL 3.0 (an older protocol) instead of using the much more modern TLS (Transport Layer Security), and then exploit a security hole in SSL to hijack your browser sessions. Since this problem is in the protocol, anything that uses SSL is affected.
As long as both the server and the client (web browser) support SSL 3.0, the attacker can force a downgrade in the protocol, so even if your browser tries to use TLS, it ends up being forced to use SSL instead. The only answer is for either side or both sides to remove support for SSL, removing the possibility of being downgraded.
How Can We Solve the Problem?
Since there’s no way to solve the problems with SSL, the only solution is for browser makers and web servers to upgrade everything to remove support for SSL and require only TLS encryption.
Most of the large web companies are removing support for SSL after this problem came to light, but it will take a while for everybody to do so.Google and Firefox have already announced that they will be removing support in the future but for now, it is extremely easy as an end-user to disable SSL 3.0 in IE.
You can remove support for SSL from your browser using one of the methods outlined below — or if you are using Firefox or Google Chrome and aren’t using hotspots all the time, you could wait for them to update the browser. Or you can make sure that you’ve fixed the problem yourself.
Disabling SSL 3.0 in Mozilla Firefox
Start by opening up your Firefox browser and navigating to the SSL Version Control download page in Firefox.
When it has successfully been installed, you can enter “about:addons” into the navigation bar and select the “SSL Version Control” extension. You can click on “Options” to see the settings for the extension. Ensure that the “Automatic Updates” are on and that the “Minimum SSL Version” is set to “TLS 1.0”
After Firefox 34 has been released, you can feel free to disable the extension or uninstall it.
Disabling SSL 3.0 in Google Chrome
Simply go to your Google Chrome desktop icon and right click on it then select “Properties” at the bottom of the popup menu.
In the “Properties” window you will see a text input box that says “Target.” Simply click in this box and press the “End” button on your keyboard. Next, press the “Spacebar” and copy and paste this text onto the end.
--ssl-version-min=tls1
Press “Apply” then click “Continue” in the popup window then press “OK.”
Now your browser will automatically reject SSL 3.0 certificates and only accept TLS 1.0 and higher. It’s worth noting that if you launch Chrome through any other shortcut on your computer, it won’t be using this flag.
Disabling SSL 3.0 in Internet Explorer
Microsoft has not yet announced when they are planning to address the SSL 3.0 issue so it is best to disable it yourself by opening your “Start” menu and typing in “Internet Options.”
Go to the “Advanced” tab and scroll down to the “Security” section until you see the SSL and TLS options, and then un-check the option for Use SSL 3.0, and enable TLS instead.
This way you can be sure that your Internet browsers are all secure from any potential POODLE attacks.
Posts
