Dear Wikidot Users,
on Tuesday, October 14, 2014, the Google research team released details on a new form of attack on the SSL protocol — the one that underlays the secure connections over https://. It's called POODLE (Padding Oracle On Downgraded Legacy Encryption) and it targets CBC ciphers in SSLv3. Is it serious? Yes.
An attacker can perform a man-in-the-middle attack, force a fall-back to SSLv3 (which is an old, almost legacy protocol) and de facto decrypt "secure" client-server transmission. The attacker must however place himself between the client and the server, e.g. acting as a WiFi access point, or gain access to routers or gateways. It's not that uncommon as you think.
The general recommendation is not to use the vulnerable SSLv3 and completely remove it from the supported protocols.
At Wikidot we have already pulled SSLv3 from all our servers — all our load balancers and all standalone web servers. It should not affect anything from the user perspective, but it greatly improves the security. Want to verify? Try this tool and enter your site URL (or just www.wikidot.com).
I know that our users value privacy and security. We are doing everything we can to protect your data, keep it accessible and secure.
If you want to make a step forward and disable SSLv3 in your browser (highly recommended, I just did), take a look at this guide. This should protect you from the vulnerability on websites that have not disabled SSLv3 just yet. I hope patches for Android, iOS and all major browsers are coming quickly.
Thanks michal for the info and the warning! I shall forward this to all my friends and colleg.
Well explained and fast reacted!
Regards
Helmut
Service is my success. My webtips:www.blender.org (Open source), Wikidot-Handbook.
Sie können fragen und mitwirken in der deutschsprachigen » User-Gemeinschaft für WikidotNutzer oder
im deutschen » Wikidot Handbuch ?
Excellent reaction time. I just scanned all major Finnish banks just out of curiosity and they were all still vulnerable.
___TTT___/ http://www.trumpetexercises.net
(_|||_) \ - Janne
The funny scary thing is that (if I understand correctly) SSLv3 has been vulnerable since its creation — 18 years ago. It's just broken by design.
Michał Frąckowiak @ Wikidot Inc.
Visit my blog at michalf.me