SSLv3 vulnerability - POODLE

by michalfrackowiak on 16 Oct 2014 07:55

poodle.jpg

Dear Wikidot Users,

on Tuesday, October 14, 2014, the Google research team released details on a new form of attack on the SSL protocol — the one that underlays the secure connections over https://. It's called POODLE (Padding Oracle On Downgraded Legacy Encryption) and it targets CBC ciphers in SSLv3. Is it serious? Yes.

An attacker can perform a man-in-the-middle attack, force a fall-back to SSLv3 (which is an old, almost legacy protocol) and de facto decrypt "secure" client-server transmission. The attacker must however place himself between the client and the server, e.g. acting as a WiFi access point, or gain access to routers or gateways. It's not that uncommon as you think.

The general recommendation is not to use the vulnerable SSLv3 and completely remove it from the supported protocols.

At Wikidot we have already pulled SSLv3 from all our servers — all our load balancers and all standalone web servers. It should not affect anything from the user perspective, but it greatly improves the security. Want to verify? Try this tool and enter your site URL (or just www.wikidot.com).

I know that our users value privacy and security. We are doing everything we can to protect your data, keep it accessible and secure.

If you want to make a step forward and disable SSLv3 in your browser (highly recommended, I just did), take a look at this guide. This should protect you from the vulnerability on websites that have not disabled SSLv3 just yet. I hope patches for Android, iOS and all major browsers are coming quickly.

Comments: 3

Add a New Comment