The POODLE Vulnerability and How To Protect Yourself
On the morning of 15th October we turned off SSLv3 support on all Snorrason Holdings operated websites because of a potential new security exploit called 'POODLE'.
'POODLE' affects SSLv3 - version 3 of - the Secure Sockets Layer protocol, used to encrypt communications between a browser and a web site (or between a user’s email client and mail server). It’s not as serious as the recent 'Heartbleed' and 'Shellshock' vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.
If 'Heartbleed' and 'Shellshock' (both of which we patched our systems against swiftly) were a 10 on the threat scale, then 'POODLE' is probably a 5.
In general you can rely on websites to do the responsible thing to protect you, and disable SSLv3 at their end (as we and many other leading Internet sites have already done). Browser developers are already working on new releases that will remove SSLv3 support transparently; you should be protected automatically in the near future as those new browser releases are pushed out. If you are concerned however, you can read here how to disable SSLv3 in your browser now.
Internet Explorer 6 users are a special case. You probably aren't reading this article if you use IE 6 because DalPay's sites only support IE 8 and above. However if you know someone who uses IE 6 and won't (or can't) upgrade, here is a guide on how to enable TLS v1.0 and disable SSL v2 and SSL v3 in Internet Explorer 6 (300Kb PDF).
(Microsoft has been urging all IE 6 users to upgrade since late 2011, but for those who can't do so, and despite the other security risks of using IE, at least that is a way to retain access to secure websites for the time being.)