The POODLE vulnerability: how can you protect yourself?

Recently, three Google researchers—Bodo Moller, Thai Duong, and Krzysztof Kotwic—have discovered the latest security hole in a basic protocol that is used for encrypting web traffic. The vulnerability is named POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, and affects the Secure Sockets Layer (SSL) 3.0 encryption protocol SSLv3. According to the latest reports, another variant of the POODLE vulnerability, known as (CVE-2014-8730) has been detected. Importantly, all these issues with the POODLE vulnerabilities are related to the old SSLv3 but not with any flaws in SSL certificates or their private keys.

The SSL 3.0 technology is relatively old; it was introduced in 1996 and is known to be currently supported by nearly 95% of Web browsers, which enables the attackers to get access to extensive amounts of information. For example, if you encounter a website those address begins with “https://”, the information that is exchanged between you and the site is not accessible to anyone unless the site allows traffic over SSL 3.0, in which case an attacker can easily exploit the POODLE bug to gather targeted information.

The POODLE vulnerability is regarded as less serious than the Heartbleed and Shellshock vulnerabilities, but it does allow an attacker to take over your accounts, such as Twitter or Google, without your password. The POODLE vulnerability enables an attacker obtain cookies, passwords, and other information that can be used to connect to various accounts without the legitimate user. Unlike the Heartbleed and Shellshock vulnerabilities which attack a server, POODLE targets only the clients.

It has been discovered that the execution of the POODLE vulnerability is much easier when an attacker is on the same network. This has been found to have less harmful consequences as opposed to those attacks that are conducted remotely against the computer. In case the Internet is browsed from home but not public hotspots, e.g. Starbucks, the potential risk of becoming affected is pretty low.

At the moment, there is no effective fix for the vulnerability SSL 3.0 itself; hence, it is highly advisable to to disable support for SSLv3 in order to prevent serious issues. It is important to note that some products and browsers, such as Internet Explorer 6 for the Windows XP operating system only use SSLv3. For example, Google has claimed that they seek to remove support for SSL 3.0 from their client products.

Below you will find instructions on how you can disable SSL 3.0 and enable TLS instead on Internet Explorer.

1. Open the browser and press Tools or press Alt+T.
2. Click Internet Options.
3. Open the Advanced tab.
4. Disable the SSL 3.0 option and select Use TLS 1.1 and Use TLS 1.2.
5. Click Apply.

As regards Mozilla Firefox, SSL 3.0 was disabled after the release of Firefox 34.

It is also important to be aware of cyber scammers because any spam message may cause a lot of damage. Moreover, it is advisable to ignore phishing emails asking you to verify or update your accounts and passwords. Online attackers use different ways of deception, and you should not trust every single email or pop-up notification that you receive because they may be aimed at deceiving you.