It’s hard to wrap our minds around all these Internet catastrophes as they occur, and just as we thought the Internet was secure again after Heartbleed and Shellshock threatened to “end life as we know it,” out comes POODLE.
Don’t get too worked up because it is not as menacing as it sounds. The truth is that it is an issue to be concerned with, but there are simple steps you can take to safeguard yourself.
What is POODLE?
Let’s start on the ground floor. What is POODLE? First off, it stands for “Padding Oracle On Downgraded Legacy Encryption.” The security issue is exactly what the name suggests, a protocol downgrade that allows exploits on an outdated form of encryption. The issue came to the world’s attention this month when Google released a paper called “This POODLE Bites: Exploiting The SSL 3.0 Fallback”.
To explain this in simpler terms, if an attacker using a Man-In-The-Middle attack can take control of a router at a public hotspot, they can force your browser to downgrade to SSL 3.0 (an older protocol) instead of using the much more modern TLS (Transport Layer Security), and then exploit a security hole in SSL to hijack your browser sessions. Since this problem is in the protocol, anything that uses SSL is affected.
As long as both the server and the client (web browser) support SSL 3.0, the attacker can force a downgrade in the protocol, so even if your browser tries to use TLS, it ends up being forced to use SSL instead. The only answer is for either side or both sides to remove support for SSL, removing the possibility of being downgraded.
If you primarily browse from home and don’t use public hotspots, the potential for damage is pretty low, and you can just take the easy steps outlined later in the article to protect yourself. If you often use a public hotspot, it might be time to think about using a VPN.
How Can We Solve the Problem?
Since there’s no way to solve the problems with SSL, the only solution is for browser makers and web servers to upgrade everything to remove support for SSL and require only TLS encryption.
Google and Firefox have already announced that they will be removing support in the future, and while we haven’t (yet) heard the same from Microsoft, it’s extremely easy as an end-user to disable SSL 3.0 in IE. Most of the large web companies are removing support for SSL after this problem came to light, but it will take a while for everybody to do so.
As a consumer, you can remove support for SSL from your browser using one of the methods outlined below — or if you are using Firefox or Google Chrome and aren’t using hotspots all the time, you could wait for them to update the browser. Or you can make sure that you’ve fixed the problem yourself.
Disabling SSL 3.0 in Mozilla Firefox
If you are a Mozilla Firefox user, your SSL 3.0 concerns will be put to bed on November 25th, 2014 when Fireox 34 is released. The one problem with this is that it isn’t yet November and you need to take action to protect yourself now. Start by opening up your Firefox browser and navigating to the SSL Version Control download page in Firefox.
When it has successfully been installed, you can enter “about:addons” into the navigation bar and select the “SSL Version Control” extension. You can click on “Options” to see the settings for the extension. Ensure that the “Automatic Updates” are on and that the “Minimum SSL Version” is set to “TLS 1.0”
After Firefox 34 has been released, you can feel free to disable the extension or uninstall it.
Disabling SSL 3.0 in Google Chrome
If you are a Google Chrome user, you can rest assured that the SSL 3.0 will be disabled in the upcoming months, although they have not yet set a date. If you want to protect yourself now, it can be done in a few simple steps. Simply go to your Google Chrome desktop icon and right click on it then select “Properties” at the bottom of the popup menu.
In the “Properties” window you will see a text input box that says “Target.” Simply click in this box and press the “End” button on your keyboard. Next, press the “Spacebar” and copy and paste this text onto the end.
Press “Apply” then click “Continue” in the popup window then press “OK.”
Now your browser will automatically reject SSL 3.0 certificates and only accept TLS 1.0 and higher. It’s worth noting that if you launch Chrome through any other shortcut on your computer, it won’t be using this flag.
Disabling SSL 3.0 in Internet Explorer
Microsoft has not yet announced when they are planning to address the SSL 3.0 issue so it is best to disable it yourself by opening your “Start” menu and typing in “Internet Options.”
Go to the “Advanced” tab and scroll down to the “Security” section until you see the SSL and TLS options, and then un-check the option for Use SSL 3.0, and enable TLS instead.
This way you can be sure that your Internet browsers are all secure from any potential POODLE attacks.
Image Credit: Karen on Flickr