POODLE’s aren’t that cute

The POODLE vulnerability (“Padding Oracle On Downgraded Legacy Encryption” – CVE-2014-3566) is an exploit of SSLv3, an almost 20 year old protocol that shouldn’t really be supported any more. Except some sites still do! An attack works by forcing fallback to SSLv3, then making multiple SSL requests to matematically predict and then decode an encrypted data stream.

This then allows the execution of a man-in-the-middle attack, so this isn’t necessairly something that is as serious as heartbleed or shellshock, but it could be used in conjunction with other attacks – eg. phishing attempts via a compromised site or impersonation of a public wifi hotspot to eavsedrop on traffic. If you’re browsing from home and not clicking on unknown email links, you’re fairly well protected already.

The easiest permanent mitigation on both the browser and server side is to simply disable SSLv3 and ensure your HTTP server or client software is updated to the latest version – instructions on both are easy to find online.

You can also enable the TLS_FALLBACK_SCSV flag, however updating to the latest version of your favourite browser should take care of and chance of fallback by now as all major browsers have released security updates.

You can use the Qualys SSL Client Test to check if your browser is vulnerable and the SSL Server Test to check your website for POODLE.