The POODLE Vulnerability - What It Is and How To Protect Yourself

On the morning of 15th October we turned off SSLv3 support on the CCNow platform because of a potential new security exploit called 'POODLE'.

'POODLE' affects SSLv3 (version 3) of the Secure Sockets Layer protocol, used to encrypt communications between a browser and a web site (or between a user’s email client and mail server). It’s not as serious as the recent 'Heartbleed' and 'Shellshock' vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.

If 'Heartbleed' and 'Shellshock' (both of which we patched on our systems swiftly) were a 10 on the threat scale, then 'POODLE' is probably a 5.

(To be attacked via the 'POODLE' vulnerability, you must be running JavaScript in your browser - everyone needs this to browse mainstream sites - and the attacker has to be on the same network as you. For example, to be on the same coffee shop Wi-Fi network you're using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet but it's still a serious threat to your online life.)

In general you can rely on websites to do the responsible thing to protect you, and disable SSLv3 at their end (as CCNow and many other sites have already done). Browser developers are already working on new releases that will remove SSLv3 support transparently; you should be protected automatically in the near future as those new browser releases are pushed out. If you are concerned however, you can read here how to disable SSLv3 in your browser now.

Internet Explorer 6 users are a special case. (You probably aren't reading this article if you use IE 6 because CCNow only supports IE 7 and above, but if you know someone who has IE 6 and won't or can't upgrade, here is a guide on how to enable TLS v1.0 and disable SSL v2 and SSL v3 in Internet Explorer 6 (300Kb PDF).

Posted on 10.16.2014