wolfinthewood: Wolf's head in relief from romanesque tympanum at Kilpeck, Herefordshire (Default)
[personal profile] wolfinthewood

Attack of the week: POODLE:
Believe it or not, there's a new attack on SSL. …

The attack is called POODLE …

The rough summary of POODLE is this: it allows a clever attacker who can (a) control the Internet connection between your browser and the server, and (b) run some code (e.g., script) in your browser to potentially decrypt authentication cookies for sites such as Google, Yahoo and your bank. This is obviously not a good thing, and unfortunately the attack is more practical than you might think. You should probably disable SSLv3 everywhere you can. – Matthew Green, cryptographic engineer

Unfortunately, some sites, including a few banking sites, still do not support TLS. There is a list of such sites here: https://zmap.io/sslv3/ [Scroll down to the section 'Alexa HTTPS Sites Without TLS Support'.] If you use Firefox, you can install an addon which would disable SSL 3.0 but allow you to change the setting from a menu to access a particular site. See below, under Firefox.

Internet Explorer

To disable SSLv3 in Internet Explorer, versions 7--11, you can follow this procedure:

1. Click on the Tools menu and select Internet Options. (If the tools menu isn't visible, press ALT+ T in Internet Explorer 8 and ALT+ X in Internet Explorer 9--11.)

2. Select the Advanced tab.

3. Scroll down to foot.

4. Uncheck Use SSL 3.0.

5. Make sure Use TLS 1.0 is checked, and any other Use TLS setting as well (if there are others).

6. Click on OK.

If you are still using IE 6 you have a problem, since IE 6 can't use TLS. (But who is still using IE 6?)


To disable SSLv3 in Firefox you can install the addon on this page: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

This will disable SSL 3.0 but allow you to change the setting from a menu if you find you need to use a site that lacks TLS support.

If for any reason you don't wish to install the addon you can follow this procedure:

1. Type about:config in the URL bar.

2. Disregard the warning.

3. Type security.tls.version.min in the search box. The settings for this preference will immediately appear at the top of the window below.

4. If Value = 0 double-click on the 0, type 1 into the box that appears, and click OK.

5. Close tab.


This page has a section on how to fix Chrome and related browsers: https://www.winhelp.us/news/144/207/How-to-protect-browsers-from-SSL-3-POODLE-attacks.html [Scroll down to 'How to disable SSL 3 in Google Chrome and other Chromium-based browsers']


Apple have issued an update that is supposed to fix OS X (Mavericks and Mountain Lion only): http://www.computerworld.com/article/2835654/apple-patches-os-x-to-protect-against-poodle.html [Scroll down to end of article for information on how to install it.]

No fix for IOS yet.