We tweeted early yesterday evening that a new major vulnerability was about to be disclosed and sure enough, late last night, the full disclosure was released. The latest discovery of a serious vulnerability affecting all internet users (following on from Shellshock and the previous Heartbleed) was initially made by some security researchers from Google who, in these days of wanting to give everything a catchy (and in Google’s case an animal – Panda, Penguin etc) name, must have been jumping for joy when they realised that the acronym gave them exactly that ! By the way, POODLE standards for Padding Oracle On Downgraded Legacy Encryption.
This potentially affects everyone connecting to a secure website using https. SSLv3 is quite an old protocol and most servers / websites / browsers will use a more modern protocol (TLS2.1/TLS1.1/TLS1) which are not affected when encrypting data (ie https) so you might think there would be few problems. When making a secure connection, a browser will use the most secure connection that both it and the server / website support. However, in order to maintain backward compatibility for old systems, connections can negotiate a lower level of secure connection and this is where the problem arises. It is possible for an attacker to force a connection to downgrade a perfectly secure TLS connection to an insecure SSLv3 one.
If you are hosted by us – then YES ! We checked every single server and disabled SSLv3 where it was still enabled, as soon as this was announced. We have taken the opportunity to further enhance SSL security on all our servers and this can checked using the great website from Qualys SSL Labs. All websites on our servers should return either an A or an A+ rating if they have their own SSL certificate installed.
If your browser supports SSLv3 (which currently almost all do – you can test by visiting https://www.poodletest.com) AND you visit a website on a server that still supports SSLv3 AND your attacker is on the same network (usually a public wireless network as this type of connection is very insecure – unless you use a VPN to secure your wireless connection as we wrote about only a few days ago). So you are pretty much safe when connecting to websites from your home or work network but not from public wireless networks.
Internet Explorer 6 on Windows XP is the only browser that is currently still in use that can only use SSLv6 – so this means that visitors to a website where SSLv3 is disabled will not be able to get a secure connection. The global percentage of people still using this combination (and who have got far greater security issues to worry about anyway than this) has dropped dramatically in the past year and we see almost no traffic to websites across our whole network.
There Are 2 Comments
John Adams on 16 Oct, 2014
Thanks for this simple explanation of what this latest “major issue” is and also for the fact that you are always pro-active around security issues like this. From what I understand though, this is only a problem if you are connecting through a public wireless connection and somebody is actively using a “man in the middle” attack ?
Will this finally be the death of IE6 though – this was arguably the worst browser that Microsoft ever released !
Havenswift Hosting on 16 Oct, 2014
You are correct in some ways in that the issue is quite severe but how often it will be exploited in the real world is debatable. In our opinion, nobody should ever access any website from a public network (in fact any network that you don’t know for certain isn’t potentially compromised) without using a VPN. As we said in a recent post about using a VPN, it is trivial for anyone with fairly basic knowledge to intercept wireless signals if they are connected to the same wi-fi router that you are – using this they could then gain access to communications between you and what you think is a secure website.
New versions of browsers will be released that will prevent this but that is likely to take time and huge numbers of people take a long time to then upgrade or never upgrade.
Let’s hope this will hasten the death of IE6 although that is unlikely in real numbers but are these important to most people – we think not hence the action we took. While we said we see little traffic from IE6 on our network, it still accounts for 10% of all website visits in China which is due mainly to the huge number of pirated copies of Windows XP in use. It also still records as around 4% of global web traffic but then again this is heavily weighted by China and a few other countries that also have high pirated XP numbers.