Which SSL Reviews

Poodle

How To Avoid POODLE Flaw From Biting Your Web Browser

November 4, 2014 | By Editor 

Summary

A puppy is cute and lovable only when it is puppy and not when it is a Web browser flaw that targets users personal information. The “puppy” in question is the POODLE, Padding Oracle On Downgraded Legacy Encryption, and is a serious security exploit. As a security flaw, it can impact all browsers, and therefore any one of us as well.

Read the following to find out about POODLE , what it does a browser, and what you can do to stop it from affecting you.

What is POODLE Flaw?

To have a better understanding of POODLE, you need to know about Secure Socket Layer (SSL) and Transport Layer Security (TLS). They are the two cryptographic protocols developed to help safeguard your sensitive online communications.

When you visit a site you see HTTPS before the web address, indicating that you are using SSL/TLS. SSL and its successor TLS are two different Web protocols, but most people assume them together and call them SSL.

TLS replaced SSL around ten years ago and is now the de facto standard protocol for cryptography. However, SSL is still widely used and that is what makes POODLE more dangerous.

When you go to a site, the system (server) serving you the webpage is capable of several cryptography security levels. They range anywhere from the recent and secure TLSv1.2 to the older and less secure SSLv3. This allows your Web browser and server to connect with the same protocol for a secure communication. This is the fundamental way browsers and servers try to stop man-in-the-middle (MiTM) attacks, like the POODLE bug.

How Does POODLE bite?

  • POODLE forces the connection between your browser and server to demote to SSLv3. If it succeeds, the hacker can obtain plain text data from your personal communication.
  • This way hackers can access your cookies that are often used to store data, some of which could be sensitive and confidential in nature. The attacker can do anything with that information and it is never good for you.
  • Well, the POODLE exploit does have an upside. The security vulnerability is not the easiest way for a hacker to get your personal details. It may take hundreds, sometimes even thousands, of attempts to get the POODLE flaw to work on someone.

So, it is a security exploit that is to be concerned about but is not as bad as the recent Heartbleed bug.

 What Can You Do To Stop POODLE?

  • First, check your browser on https://www.poodletest.com/web page to see whether it is vulnerable to POODLE attacks.
  • The moment you visit the webpage, you will see either a Springfield terrier (you are not at risk) or the big gray poodle (you are at risk).
  • If the test shows that your Web browser is vulnerable, disable SSL 3.0 support.
  • However, this may cause compatibility issues with older servers and browsers.

For Google Chrome Users

  • Go to the desktop icon of your Chrome. Right-click, choose properties option.
  • When the properties window opens, find the “Target” field. It should be a long path to the location of the Chrome file.
  • Enter “––ssl-version-min=tls1” with space but without quotes.
  • Click on the Apply button and restart Chrome.
  • To be on the safe side, avoid public wireless spots until Web browser firms have disabled SSL 3.0 support.

For Mozilla Firefox users

  • With the release of Firefox 34 on November 25, Mozilla will disable all the support for SSL 3.0.
  • Recently, the corporate released an add-on that prevents your Web browser from accessing SSL 3.0. SSL Version Control 0.2. The extension is available for free at https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/.
  • After installing SSL Version Control 0.2, click the Open menu (three horizontal bars) on the far right side and the select Add-ons.

For Microsoft Internet Explorer (IE) 7 to 11 Users

  • Go to the ‘Tools’ menu (alt+t in IE 8 and alt+x in IE 9,10, and 11) and select ‘Internet Option.’
  • In case the Menu or Command options are not visible. Press the ALT key to make them visible.
  • Open the ‘Advanced’ tab, found on the far right, and scroll down until you locate the options Use SSL 2.0 and Use SSL 3.0. Uncheck the two boxes.
  • Ensure that all other available Use TLS options (Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2) are checked. If you do not find these TLS options, then you need to update the IE.
  • Click Apply and then the OK button.

POODLE can be Tamed

POODLE can easily be tamed, once the majority of people and Web servers stop using SSLv3. A tool called ‘TLS_FALLBACK_SCSV’ has been developed so that servers and browser programmers can enforce it to help. Unfortunately, the tool requires both server and browser to have it. This could take awhile for everyone to enforce. Till then, it our responsibility to make the Internet a safer place.

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in Poodle

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory