Shawn McCabe
Author Shawn McCabe
Posted in Software Development
October 21, 2014
Back to blog

Beware of P.O.O.D.L.E, SSLv3 Vulnerability & Security Update

So the hip new thing is to give big security vulnerabilities silly nicknames, hence the "Padding Oracle On Downgraded Legacy Encryption" -> POODLE acronym. Before you panic this is NOT another Heartbleed, this dog’s bark is worse than his bite.

Google security researchers have discovered that the old SSLv3 encryption protocol can be exploited even on servers that do not use it as their primary encryption method. An exploit allows an attacker to trick the browser into degrading down to using SSLv3, if the server supports it. As Oct. 14, that was about 96% of all servers.  This attack does require that the attacker be able to intercept traffic, which is what makes it less serious than Heartbleed. That said, if someone were able to intercept the traffic, they would be able to get at some of the encrypted data.

Simple SummaryFor those that don’t fully understand all those big fancy words used by software developers (myself included) here is a simple explanation courtesy of Matthew Green; POODLE allows a clever attacker who can (a) control the Internet connection between your browser and the server, and (b) run some code (e.g., script) in your browser to potentially decrypt authentication cookies for sites such as Google, Yahoo and your bank. Thus giving them access to your personal data. It may not be the easiest way in for an attacker but they aren’t afraid of a challenge so please take this vulnerability seriously.

As SSLv3 support was only left enabled to support legacy clients, Acro has now disabled it completely for any & all PCI Compliant sites we host.  The only negative effect is default IE6 installs do not support anything above SSLv3, so they will not be able to connect and secure sites will not load.  This is not something we will be turning back on, as that would mean we are deliberately allowing an insecure connection under the illusion that it is secure. If you are a current client of Acro and have any questions or concerns please do not hesitate to contact your Account or Project Manager.

This vulnerability can also be mitigated by browser changes, which all the major browser makers will be rolling out in the next few weeks.  Please note this will take some time and does not help people not running the newest version.

Acro Media is confident we have taken all precautionary methods to ensure POODLE will not negatively affect our clients. If you are not a client of Acro’s but are looking for help further understanding this issue contact us and we can provide consulting on how to fix the issue or who you should contact.

For further information Google's official post as well as some other technical details are linked below.

The Heartbleed Bug - What you need to know!

You may have heard of the "Heartbleed" security issue, which is affecting many sites across the internet, including enormous entities such as the ...
Keep Reading »

Why an Online Cloud & Web-Based POS System Beats a Traditional POS

The POS industry has changed over the last couple of years. Like most digital products and content, POS systems are moving toward cloud- and ...
Keep Reading »

Technical debt: Why it's bad and how to avoid it

Listen to the podcast   Listen to this post using the player, or subscribe using Spotify, Apple Podcasts, or Google Podcasts. Technical debt refers ...
Keep Reading »

Fields marked with * are required.