What is Poodle Update, SSL 3.0 and TLS


The popular implementation of public-key encryption is the Secure Sockets Layer (SSL). SSL is an Internet security protocol used by browsers and servers to transmit private and sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS).

It used to be believed that TLS v1.0 was marginally more secure than SSL v3.0, its predecessor. However, SSL v3.0 is getting very old and recent developments, such as the POODLE vulnerability have shown that SSL v3.0 is now completely insecure.

So what is this Poodle Vulnerability?

The Poodle (“Padding Oracle On Downgraded Legacy Encryption”) flaw was revealed by Google last month.
It works by forcing an HTTPS connection to a site to use the less secure SSL 3.0. This ‘fallback’ could then allow an attacker to steal session cookies which could give them access to a victim’s online accounts.

It is important to make sure your website does not use the less secure SSL 3.0 protocol and Uses the more up to date secure TLS protocol. So that if an attacker downgrades the connection to SSL 3 does not gain access to the private information like credit cards being sent from the browser to the server.

Paypal has notified all customers that they will be rejecting all SSL 3.0 connections to prevent problems, so if you havent updated your site, you wont be able to connect and accept payments from your website via Paypal.

Also, Google will put an end to Poodle-related problems with the launch of Chrome 40, which will disable SSL 3.0 completely.

Senior software engineer, Adam Langley, wrote in a note late last week that Google would be disabling that SSL 3.0 fallback from the next version of Chrome (39).

So shoppers on your website without the latest Poodle updates will recieve a error message when using Google chrome as their browser.

Google said that in Chrome 40, Google will disable SSL 3.0 completely, shutting off any avenue for attack via Poodle.

“In time, SSLv3 client support will be removed from the code, so anyone re-enabling SSLv3 and/or fallback to it via policy, command line options or about:flags should not treat that as a long-term solution,” Langely From Google explained.

Linux Server administrators would be updating all Apache servers to also prevent users from writing code which would use the SSL encryption method.

If you need to upgrade your software or website to remove Poodle vulnerabilities or for any other code related issues or concerns please give us a call.