Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

POODLE's bark is bigger than its bite

Tony Bradley | Oct. 20, 2014
Google researchers revealed a major flaw in the SSL encryption protocol--SSLv3 to be precise--which has been affectionately named "POODLE." The vulnerability is more serious than the silly name might suggest, and the news has garnered a lot of attention because of the potentially broad implications. But security experts assure us the sky is not falling.

What Should You Do?

According to Morey Haber, senior director of program management for BeyondTrust, the solution is relatively simple: Patch and update. "Upgrade your OS and browsers to the latest versions and continue to patch on a regular basis. Avoid end-of-life operating systems like Windows XP. For companies that are still using SSL3.0 on their websites, they need to think of their customers first and upgrade as well."

The major browsers are responding to the threat with updates that will disable SSLv3 and / or prevent the browser from downgrading to the vulnerable protocol. Greg Keizer of sister site Computerworld reported that Mozilla will disable SSLv3 effective with Firefox 34 — scheduled for release on November 25. Google and Microsoft have both announced intentions to make similar changes, but they've not committed to a specific timeline. It seems safe to assume, though, that both Google and Microsoft will react as quickly as possible to protect customers.

In the meantime, you can manually disable SSLv3 compatibility in your browser. For example, in the Internet Options of Internet Explorer on the Advanced tab under Security, you can simply uncheck SSL 3.0 as an option. It is also possible to do in Firefox and Chrome, although the process may not be as simple.

The most obvious method of mounting a man-in-the-middle attack exploiting POODLE would be to set up a rogue Wi-Fi network and lure users into connecting to it. Itsik Mantin, director of security research for Imperva, stresses, "I think the most important thing from a user's perspective is to take extra caution when connecting to untrusted networks, in particular open Wi-Fi in public areas, and avoid visiting sensitive sites (e.g., banking applications)."

The bottom line is that POODLE is a threat, but its bark is worse than its bite. As long as you use operating systems and applications that are patched and updated, and follow basic security best practices such as not connecting to shady sites or servers, and not conducting online banking over an insecure public Wi-Fi network, you should be relatively safe.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.