Difference between revisions of "Security - Poodle"

Latest revision as of 20:22, 9 November 2014

1 Overview

Poodle is the code name for a security hole discovered by Google, in a secure protocol used by computers to chat to each other. It stands for "Padding Oracle On Downgraded Legacy Encryption"

There are some very clear explanations on the issue.

If you'd rather watch a video on it: http://www.youtube.com/watch?v=C8ks8WLoZto

If you'd prefer to read about it: http://www.ibtimes.co.uk/what-poodle-latest-online-security-threat-after-shellshock-heartbleed-1470300

The bug affects the SSL encryption technology and allows hackers to trick computers into sharing sensitive data which could give them access to your emails or social media accounts.

2 How can I check ?

http://www.poodletest.com/

if you want to test a server

http://www.poodlescan.com/

3 How do I fix the problem?

Again, this is a relatively easy fix. You can simply instruct your browser not to support the SSL 3.0 standard and set the lower encryption standard to TLS 1.0, which is much more secure.

The problem of course is that you won't be able to visit the websites which continue to use SSL 3.0, though this is list is getting smaller and smaller.

Scott Helme has put together a comprehensive list of instructions on how to disable SSL 3.0 on Chrome, Firefox and Internet Explorer, as well as on servers running Apache, Nginix and IIS.

https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

4 Poodle and bxp software

All n One were aware of the issue on the 15th of October 2014, less than 24 hours after its discovery

However to facilitate some client infrastructures having to change, implementation of the TLS only fix on the servers has been delayed to give clients a chance to update their infrastructures.