In case you haven’t heard, the boffins at Google have discovered a vulnerability that is pretty serious.
It’s called the POODLE vulnerability, or as I like to think of it “the POODLE bug”.
Learn more in the following video:
POODLE stands for “Padding Oracle On Downgraded Legacy Encryption”, and it’s a way of intercepting supposedly secure SSL communications between your computer and a website.
If everything is working properly, SSL should be one of the ways in which your internet communications are secured.
But POODLE provides a way for attackers to trick your computer not to use the latest and greatest encryption for its internet communications, but use SSL 3.0 instead. And SSL 3.0 is about 18 years old, contains bugs, and was long ago superceded by stronger technologies.
The good news is that, unlike Heartbleed or Shellshock, anyone who wants to POODLE you has to get in between your computer and a website that you’re visiting. The most likely way they are going to do that is if you are accessing the web using free WiFi in a coffee shop, and don’t notice the hacker sitting in the corner of the room – sniffing up your data as it flies through the airwaves.
What they can’t do is attack you from the other side of the world.
Furthermore, it appears that a successful POODLE attack (a POODLE bite?) is most likely to be able to steal your session cookies, rather than everything you are transmitting back and forth over the web. But if a hacker manages to grab those, they could still read your webmail messages, or post tweets in your name, and cause all kinds of other mischief.
If possible, set the minimum version of SSL that your web browser will support to TLS version 1.
Scott Helme has helpfully described how to disable SSL 3.0 in all major browsers and server platforms here.
- This POODLE bites: exploiting the SSL 3.0 fallback, Google.
- POODLE attacks on SSLv3, Adam Langley.
- Everything you need to know about the POODLE SSL bug, Troy Hunt.