By Jeroen Barendse
UPDATE: As of November 2014 Google, Firefox, Microsoft, and Apple have patched all browsers to close the POODLE Vulnerability.
Explaining the Vulnerability:
On Tuesday October 15, 2014 Google announced a vulnerability in the implementation of the SSLv3.0 protocol. SSL, or Secure Socket Layer, is a cryptographic protocol designed to provide communication security over the Internet. SSLv3.0 is an 18 year old version of SSL, but nearly all browsers still support it.
How it works:
Because web servers could be running one of a variety of different versions of SSL (or none at all) when a browser fails to connect to a website they will retry those failed connections with older protocol versions, including SSLv3.0. Network attackers can cause these connection failures on purpose to trigger your browser to use SSLv3.0. After they trigger the use of SSLv3.0 they can then exploit what is being called the POODLE Security Vulnerability. This would allow a network attacker access to important private information, like a session token or cookies, that would then allow them to hijack the identity of another user.
What are we doing about this?
Internet Explorer –
IITS will roll out an update for Internet Explorer that will disable SSLv3.0 and below. (To update your personal (home) computer, see "How to Protect Yourself".)
If you prefer using Firefox as to browse the web, Mozilla has updated their browser to disable SSLv3.0. The current version that includes the update to patch the POODLE vulnerability is 33.0 and above. To check what version of Firefox you currently have and update it:
You can use this fix for a shortcut or the pin'd application on the taskbar.
Alternatively, you can edit the
http/shell/open/command registy value in
HKEY_CLASSES_ROOT to specify
--ssl-version-min=tls1at the end, similar to the following example:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 --
"%1". This will protect you even if you open Chrome by clicking a link in an email or
other document. Thanks to Dr. Thomas Kunst.
open -a "Google Chrome.app" --args --ssl-version-min=tls1.
Depending on how you open Google Chrome, you may have to open it in a different way. If you open it through Spotlight, just type Chrome-POODLE-Proof instead of Google Chrome If you open it by clicking on it in the Dock, open Finder, and click Applications. Drag-and-drop the Chrome-POODLE-Proof.app to the Dock. When you want to open Chrome, click the icon that looks like a robot holding a pipe instead of the normal Google Chrome icon.
Thanks to gertvdijk on AskUbuntu.
/usr/share/applications/google-chrome.desktopin a text editor
Exec=/usr/bin/google-chrome-stable %Ushould become
Currently there is no known way to disable SSLv3.0 is Safari. We will continue to monitor this situation and release updates accordingly.
How to protect yourself at home:
Disabling SSL 3.0 is sufficient to mitigate this issue. For instructions on how to disable SSLv3.0 in your browsers at home click Disabling SSLv3.0 and follow the instructions on the page.
To check if your browser disabled SSLv3.0: