POODLE Attacks:
Vulnerabilities found in SSL3
Article Credit: Originally posted at http://www.mypandamonium.com/poodle-attacks-browser-vendors-scramble-to-disable-ssl3.
Article Author: Dorian Karthauser
Attack Vulnerabilities found in SSLv3
Internet and Website Security are continuing to be challenging in 2014. Anything on the Cloud is vulnerable needs to be secured as much as possible.
This week, the Google Security Team announced the discovery of a major flaw in an outdated, but widely-used SSL protocol: SSL3.
How to Turn Off SSL3 in Firefox and Internet Explorer Browsers:
Firefox: To prevent POODLE attacks on Firefox, just add this extension to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control.Internet Explorer IE: To disable SSL3 on IE, go to the tools menu, click Internet Options and go to the Advanced tab.
Under that tab, look for the Security heading, and make sure that the SSL 3.0 check box is unchecked.
Chrome Browser Vulnerability
Although Google owns Chrome, and Google researchers discovered the POODLE exploit – the Chrome Browser has not yet released a fix for SSL3. (As of 10-16-2014, Noon CST).
Online Tests for POODLE Vulnerability
Check your browser for POODLE vulnerability at https://www.poodletest.com or https://poodle.io.
The test gives a graphic result: If you see a poodle, then your browser supports SSLv3 and you maybe vulnerable. But if you see a Springfield Terrier below, then your browser doesn’t support SSLv3.
Turn off SSL3 in Firefox and IE, by following the directions above. Then, test your browser at the POODLE Test site links.
What is POODLE?
The attack, disclosed by a trio of Google security researchers on Tuesday, allows an attacker on the same network as a victim to decrypt sensitive data that’s protected by SSLv3 encryption. It can be executed in the background and takes advantage of the fact that when a client tries to establish a secure connection to a server and fails, the server will attempt to make the connection using a different protocol, a process known as falling back. An attacker can force an unsuccessful connection and make the server use SSLv3, and then execute the attack.
Why Should I Care?
As a consumer and web user – if you ever use your computer to transmit secure information – you should be concerned.
Examples:
- Online Banking
- Online Purchases
- Online Cloud-based Interactions
- Any website with a secure login
WordPress Website Security Audits
We recommend adding extra layers of security protection for WordPress sites.
Contact Us for a WordPress Security Audit.
Read More about POODLE at:
http://www.zdnet.com/google-reveals-major-flaw-in-outdated-but-widely-used-ssl-protocol-7000034677