Most of the most damaging online attacks have names that actually sound ominous. Heartbleed? Shellshock? Not good things. Things that no one wants. So what’s so scary about POODLE? (Don’t fool yourself into thinking that poodles are just friendly, happy dogs with fancy haircuts—they’re actually one of the most aggressive breeds, so maybe the name is appropriate after all?)
In reality, POODLE isn’t something that most of us will have to worry about, especially if you take a very precautions to make sure that you are protected. Let’s take a look at POODLE and what we need to do to secure ourselves against it.
What is the POODLE Attack?
POODLE is an acronym for Padding Oracle On Downgraded Legacy Encryption. If that just sounds like a bunch of jargon to you, don’t worry. Basically, the POODLE takes control of a public hotspot, using what is called a Man-in-the-Middle attack. From that point, it downgrades your SSL to an older version, so that is it is not as protected as it is with newer protocols. The attack then finds a hole in your security and takes control of your browser.
Any website that uses an SSL, like online retailers, for example, will be affected, if their websites still support the old SSLs. The attack negates the new Transport Layer Security in all new SSL protocols, leaving you open to some pretty nasty business.
The upshot is that if you never use public hotspots, if you never use the WiFi at your local Starbucks or Library, your danger of being targeted is pretty low and there are some very simple steps you can take to protect yourself. If you do a lot of work or play on a public hotspots, on the other hand, it’s time to employ a VPN.
Are there any solutions to the POODLE Attack?
Currently, there is no way to prohibit the attack finding find those security loopholes in the hold SSL, which would be the optimal way to stop these attacks. On the other hand, it is possible for the browsers that your use to disable support for the older SSL protocol. Chrome and Firefox are already in the works, disabling this feature so that it will only support TLS 1.0 (the newest version) protocols. Come the end of November, you should notice that support for SSL has been cut from your browser during the next update.
If you frequently use public hotspots and want to protect yourself right now, there are ways to disable the support yourself so that there is no way for your browser to downgrade to the older protocol.
Disabling SSL 3.0 on Firefox
Firefox’s update will be dropped on the 25th of November, but if you do not want to wait until then, here’s a way to fix the problem yourself. Open your browser and the enter this link: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/.
Then, add “about.addons” into the navigation bar. You will then find a SSL Version Control extension, which allows you to set it so that it updates automatically and set the minimum SSL to TLS 1.0. That way, your browser will not support the older SSL. Once the new browser is out, you can easily just turn this feature off or uninstall it from your Firefox.
Disabling SSL in Google Chrome
Chrome has not yet told us when they will be releasing their update, but it should be in the next few months. This may not be soon enough, so here is how to protect yourself is you use this browser. Start by right clicking on your Google Chrome desktop icon. At the bottom of the menu that pops up, you will see “Properties.” Click on it.
Once this window has opened, you will see a little box with the word “Target.” Click into this box and hit the End key on the keyboard, then the spacebar. Add this to the end of what’s already there: –ssl-version-min=tls1
Click Apply, Continue, and then Ok as the next couple of windows popup up. Now your Chrome browser will only allow TSL 1.0 certificates. If you have a shortcut link to Chrome, using it to open your browser will not open it with the new feature—you have to open it from the desktop icon.
Visit the CMIT Solutions Blog for the latest on the POODLE Security Vulnerability.
CMIT Solutions of Hartford