Skip to content

POODLE – SSLv3 Weakness

You probably woke up this morning and wondering what is POODLE and how does it weaken SSL encryption. POODLE stands for “Padding Oracle On Downgraded Legacy Encryption”. It was discovered by a trio of Google security researchers last month. It’s a weakness in SSLv3, a 15 year old security protocol. They published a technical paper. This vulnerability can allow an attacker to decrypt secure https cookies or web sessions which could be used to login to accounts as you. However, this is a difficult to implement as it involves a man-in-middle attack. It basically means a hacker is intercepting traffic between your computer using a browser and a SSLv3 enabled site. An example is at a public Wi-Fi hotspot set up by a hacker. But decryption happens on average once in every 256 requests.

What can I do as an internet end user?

Disable SSLv3 support in your browser. To disable in IE, Chrome and Firefox, visit this website. You can then visit this website to test with different browsers.

What can I do as a website operator?

We are currently disabling SSLv3 on all shared hosting servers. For customers running VPS or dedicated servers can send a support ticket.
If you want to disable yourself, visit Qualys and enter your website. You are vulnerable if under Configuration, “SSL 3 is Yes”. The folks at DigiCert provided some helpful links to disable in IIS, Apache and Nginx.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *