POODLE SSL Vulnerability: Protect Yourself
On October 14, 2014 Google announced that SSLv3 (Secure Socket Layer, version 3) was vulnerable to an attack which has been given the cute name POODLE (Padding Oracle On Downgraded Legacy Encryption).
OpenConcept has previously recommended the removal of support for SSLv3 in our Drupal Security Guide. Fallback to SSLv3 has been disabled on OpenConcept's servers. All HTTP servers providing encrypted service (HTTPS) should be forced to drop SSLv3 and support only TLS (Transport Layer Security). See the guide for instructions on how to do this.
It is important to note that everyone who uses SSL should take action in their own browser configuration to avoid the exploit as well. Otherwise your browser may fallback to SSLv3 without your knowledge, leaving your communications vulnerable to interception by a third party (spying).
What can you do?
This page has a warning near the top if your browser may be vulnerable to the fallback. It also has instructions for the major browser on how to disable the fallback.
Qualys SSL Test can be used to check if a server has vulnerability to this or other exploits.
Also, stop using Internet Explorer 6. No, seriously. Not only is it past its End-Of-Life and no longer receiving updates, but IE6 on Windows XP has no TLS support, and can only use SSL via insecure methods. As of today, there is no way for IE6 to provide secure connections.
About The Author
Jack Of All Trades, Master Of Linux. Mike Mallett has been using and advocating the use of free source software for over 10 years. He has worked in organizations large and small, and everything in between. His professional career launched in 1999 with Ottawa-based Object Technology International and went on to pursue human-focused work at Nonviolence International, IDASA, and Human Rights Internet. With experience installing and configuring 20+ different operating systems, Mike has a strong fundamental understanding of modern computing.