The POODLE Vulnerability and How To Protect Yourself

On the morning of 15th October we turned off SSLv3 support on all Snorrason Holdings operated websites because of a potential new security exploit called 'POODLE'.

'POODLE' affects SSLv3 - version 3 of - the Secure Sockets Layer protocol, used to encrypt communications between a browser and a web site (or between a user’s email client and mail server). It’s not as serious as the recent 'Heartbleed' and 'Shellshock' vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.

If 'Heartbleed' and 'Shellshock' (both of which we patched our systems against swiftly) were a 10 on the threat scale, then 'POODLE' is probably a 5.

(To be attacked via the 'POODLE' vulnerability, you must be running JavaScript in your browser - everyone needs this to browse mainstream sites - and the attacker has to be on the same network as you. For example, to be on the same coffee shop Wi-Fi network you're using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet but it's still a serious threat to your online life.)

In general you can rely on websites to do the responsible thing to protect you, and disable SSLv3 at their end (as we and many other leading Internet sites have already done). Browser developers are already working on new releases that will remove SSLv3 support transparently; you should be protected automatically in the near future as those new browser releases are pushed out. If you are concerned however, you can read here how to disable SSLv3 in your browser now.

Internet Explorer 6 users are a special case. You probably aren't reading this article if you use IE 6 because DalPay's sites only support IE 8 and above. However if you know someone who uses IE 6 and won't (or can't) upgrade, here is a guide on how to enable TLS v1.0 and disable SSL v2 and SSL v3 in Internet Explorer 6 (300Kb PDF).

(Microsoft has been urging all IE 6 users to upgrade since late 2011, but for those who can't do so, and despite the other security risks of using IE, at least that is a way to retain access to secure websites for the time being.)

Posted on 10.16.2014