‘POODLE’ vulnerability affects web browsers using old SSL encryption
21 October 2014
Updates are available to address a vulnerability called ‘POODLE’ that has been discovered in a type of encryption used to secure information sent between your internet browser and many websites.
The vulnerability affects an older type of encryption called Secure Sockets Layer 3 (SSL 3.0), still used by some older web browsers.
When you use online banking and shopping, the ‘s’ in ‘https’ in the website address indicates that encryption is being used to protect your data as it passes between you and the website. Depending on your browser and the website you are visiting, the type of encryption used can vary.
When you connect to a website, your browser and the website will work down through a list of encryption options, from better and newer to older and weaker, until they find one that is compatible.
SSL 3.0 encryption has been outdated for some years, but many websites continue to support it to allow old internet browsers to work with their websites.
The POODLE vulnerability can assist a criminal to intercept and read your SSL 3.0 encrypted information. Using SSL 3.0 is no longer safe.
POODLE is short for Padding Oracle On Downgraded Legacy Encryption, reflecting the technical detail of this vulnerability.
All major browser vendors have released updates or fixes for their browsers to disable SSL 3.0. Most users should have already received these updates, and you should ensure you have applied them. You can find your software version and options to update in your browser settings. You should set your browser to update automatically.
Mozilla Firefox: Version 34 is expected to be secure against POODLE (expected to be released by late November 2014). A plugin is available until then. Firefox users should install the SSL Version Control plugin choosing default settings.
Some fixes for this issue may disable access to some websites where SSL 3.0 is used. You should contact those organisations to seek further advice, as any ‘encrypted’ message from them could be intercepted and read by an attacker.
If you operate a website, we recommend that you disable SSL 3.0 support, choosing at a minimum, the newer Transport Layer Security (TLS) 1.0 algorithm for all encrypted traffic. Be aware this change may prevent some users running older browsers from connecting.
TLS is a newer protocol than SSL 3.0. Do not disable TLS 1.0 or later versions if you are taking additional security measures while addressing POODLE.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.