What is this Poodle fuss all about?
The "Poodle" attack ("Padding Oracle On Downgraded Legacy Encryption") is a "man-in-the-middle" type exploit which utilises a vulnerability in SSL connections.
SSL?
SSL (Secure Socket Layer) is a way of sending data securely across the internet. It's used whenever any sensitive or personal information is being entered and is common practice on ecommerce and banking sites. You know a web page is protected by SSL from the "padlock" icon on your browser (and the "https:" in the address).
So what damage can it do?
The vulnerability allows attackers to reduce the level of protection the SSL connection should give. This allows them to access the data that's being sent. This is obviously bad news if you're entering your credit card details for example.
How does this affect me?
Thankfully this only applies to a relatively old type of Secure Socket Layer (SSL v3).
If you use an up-to-date browser then you'll be fine.
However, if you use an old browser such as Internet Explorer 6 you are at risk because it doesn't work with later (and more secure) types of SSL. In fact, you won't be able to access a lot of websites soon as many are simply switching off SSL v3.
If you are using an older version of Internet Explorer it’s a good idea to update to a later version of IE or Chrome and Firefox. Keeping your browser up to date is important for security as well as ensuring you get the best possible browsing experience (a lot of new website features simply won’t work on older browsers).
What about my own website? Do I need to do anything?
If you are an ecommerce website taking online payments you should be aware that SagePay are planning to switch off SSL v3 completely on Monday 2nd February 2015.
For most of our clients this will be fine as your website will support later versions of SSL (“TLS”). You won’t even notice a difference.
However, in some cases there may be an issue. For example, if you website is hosted on a server which doesn’t allow TLS (e.g. Windows Server 2003) you will no longer be able to accept payments and will need to move to a more up-to-date server.
At Webnetism we have audited all our clients’ websites and informed them if any action needs to be taken.
STOP PRESS - UPDATE 2nd February 2015
If you are running your website on Windows Server 2003 then there is a Hot Fix that Microsoft has created to add support for TLS and prevent the Poodle vulnerability:
http://support.microsoft.com/kb/948963/en-gb
If you have any questions about this, online security or your hosting requirements then please feel free to Contact Us...