Following reports yesterday that Windows users are at risk from the ‘SandWorm’ vulnerability, another issue that will affect a large amount of the web was released last night. SSL 3.0, dubbed ‘Poodle’, is a vulnerability existing in old software that is still in use by web browsers and servers. Discovered by Google researchers*, Poodle (Padding Oracle On Downgraded Legacy Encryption), has been in existence for 15 years within SSL version 3.0. While many websites will default to supporting other protocols such as (Transport Layer Security) TLS these days, many still use SSL 3.0, making this a significant security risk for users.
Iain Wallace, Senior Security Consultant at cyber security consultancy, Nettitude, has made the following comments:
“In terms of how this will effect users, many websites will stop supporting connections using SSL 3.0, meaning that anyone using an old browser is likely to find websites served over HTTPS that they previously used may now no longer appear to work. In order to have the best chance of being able to connect securely to HTTPS websites, users should ensure they download and use the newest available version of a web browser. At the time of writing, these are Google Chrome v37, Internet Explorer 11 and Firefox v32. In order to protect its users, Google Chrome will start to disable use of SSL 3.0 automatically in forthcoming releases.
“When it comes to the impact on web service administrators or owners, in order that web browsers do not negotiate a connection using SSLv3, any cipher suites using SSL 3.0 should be disabled. All current generation browsers support TLS in some way or another, which should mean the impact of disabling SSLv3 is minimal.
“Data breach fatigue is another unfortunate consequence of the frequent reports of cyber incidents, but individuals and organisations must not be complacent regarding the risks. This latest vulnerability is another reminder of the need to continually update security software and ensure that a comprehensive and layered defence against the evolving cyber threat landscape is in place.”
For further information or comment, please contact the team on 020 7401 7968.
To contact Nettitude's editor, please email firstname.lastname@example.org.