21 October 2014

Updates are available to address a vulnerability called ‘POODLE’ that has been discovered in a type of encryption used to secure information sent between your internet browser and many websites.

The vulnerability affects an older type of encryption called Secure Sockets Layer 3 (SSL 3.0), still used by some older web browsers.

When you use online banking and shopping, the ‘s’ in ‘https’ in the website address indicates that encryption is being used to protect your data as it passes between you and the website. Depending on your browser and the website you are visiting, the type of encryption used can vary.

When you connect to a website, your browser and the website will work down through a list of encryption options, from better and newer to older and weaker, until they find one that is compatible.

SSL 3.0 encryption has been outdated for some years, but many websites continue to support it to allow old internet browsers to work with their websites.

The POODLE vulnerability can assist a criminal to intercept and read your SSL 3.0 encrypted information. Using SSL 3.0 is no longer safe.

POODLE is short for Padding Oracle On Downgraded Legacy Encryption, reflecting the technical detail of this vulnerability.

For users

All major browser vendors have released updates or fixes for their browsers to disable SSL 3.0. Most users should have already received these updates, and you should ensure you have applied them. You can find your software version and options to update in your browser settings. You should set your browser to update automatically.

Information about each browser update is below:

Apple Safari: An update was released on 16 October 2014 that addresses the issues (Apple Security Update 2014-005).

Google Chrome: Uses a different function for compatibility for SSL 3.0. Any version of Chrome since February 2014 (Chrome 33 onwards) is protected against this vulnerability.

Microsoft Internet Explorer: Advice for a workaround was released on 15 October 2014 (Microsoft Security Advisory 3009008).

Mozilla Firefox: Version 34 is expected to be secure against POODLE (expected to be released by late November 2014). A plugin is available until then. Firefox users should install the SSL Version Control plugin choosing default settings.

Some fixes for this issue may disable access to some websites where SSL 3.0 is used. You should contact those organisations to seek further advice, as any ‘encrypted’ message from them could be intercepted and read by an attacker.

Website managers

If you operate a website, we recommend that you disable SSL 3.0 support, choosing at a minimum, the newer Transport Layer Security (TLS) 1.0 algorithm for all encrypted traffic. Be aware this change may prevent some users running older browsers from connecting.

TLS is a newer protocol than SSL 3.0. Do not disable TLS 1.0 or later versions if you are taking additional security measures while addressing POODLE.

More information

To find out which browser you are using, visit this webpage.

You can check to see if your browser is affected by visiting the POODLE test website.

Website operators can use this website to check if their website is vulnerable.

POODLE was discovered by Security Researchers at Google.

Stay Smart Online has information on automating updates to your computer.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.

Feedback

Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.

Disclaimer

This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.

CONTACT US

Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] communications.gov.au
Web: www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online
  • Facebook.
  • youtube
  • RSS feed