1 May What is the POODLE Vulnerability and How Can You Protect Yourself? May 1, 2019 Security It’s hard to wrap our minds around all these Internet catastrophes as they occur, and just as we thought the Internet was secure again after Heartbleed and Shellshock threatened to “end life as we know it,” out comes POODLE. Don’t get too worked up because it is not as menacing as it sounds. The truth is that it is an issue to be concerned with, but there are simple steps you can take to safeguard yourself. What is POODLE? Let’s start on the ground floor. What is POODLE? First off, it stands for “Padding Oracle On Downgraded Legacy Encryption.” The security issue is exactly what the name suggests, a protocol downgrade that allows exploits on an outdated form of encryption. The issue came to the world’s attention this month when Google released a paper called “This POODLE Bites: Exploiting The SSL 3.0 Fallback”. To explain this in simpler terms, if an attacker using a Man-In-The-Middle attack can take control of a router at a public hotspot, they can force your browser to downgrade to SSL 3.0 (an older protocol) instead of using the much more modern TLS (Transport Layer Security), and then exploit a security hole in SSL to hijack your browser sessions. Since this problem is in the protocol, anything that uses SSL is affected. As long as both the server and the client (web browser) support SSL 3.0, the attacker can force a downgrade in the protocol, so even if your browser tries to use TLS, it ends up being forced to use SSL instead. The only answer is for either side or both sides to remove support for SSL, removing the possibility of being downgraded. If you primarily browse from home and don’t use public hotspots, the potential for damage is pretty low, and you can just take the easy steps outlined later in the article to protect yourself. If you often use a public hotspot, it might be time to think about using a VPN. How Can We Solve the Problem? Since there’s no way to solve the problems with SSL, the only solution is for browser makers and web servers to upgrade everything to remove support for SSL and require only TLS encryption. Google and Firefox have already announced that they will be removing support in the future, and while we haven’t (yet) heard the same from Microsoft, it’s extremely easy as an end-user to disable SSL 3.0 in IE. Most of the large web companies are removing support for SSL after this problem came to light, but it will take a while for everybody to do so. As a consumer, you can remove support for SSL from your browser using one of the methods outlined below — or if you are using Firefox or Google Chrome and aren’t using hotspots all the time, you could wait for them to update the browser. Or you can make sure that you’ve fixed the problem yourself. Disabling SSL 3.0 in Mozilla Firefox If you are a Mozilla Firefox user, your SSL 3.0 concerns will be put to bed on November 25th, 2014 when Fireox 34 is released. The one problem with this is that it isn’t yet November and you need to take action to protect yourself now. Start by opening up your Firefox browser and navigating to the SSL Version Control download page in Firefox. When it has successfully been installed, you can enter “about:addons” into the navigation bar and select the “SSL Version Control” extension. You can click on “Options” to see the settings for the extension. Ensure that the “Automatic Updates” are on and that the “Minimum SSL Version” is set to “TLS 1.0” After Firefox 34 has been released, you can feel free to disable the extension or uninstall it. Disabling SSL 3.0 in Google Chrome If you are a Google Chrome user, you can rest assured that the SSL 3.0 will be disabled in the upcoming months, although they have not yet set a date. If you want to protect yourself now, it can be done in a few simple steps. Simply go to your Google Chrome desktop icon and right click on it then select “Properties” at the bottom of the popup menu. In the “Properties” window you will see a text input box that says “Target.” Simply click in this box and press the “End” button on your keyboard. Next, press the “Spacebar” and copy and paste this text onto the end. --ssl-version-min=tls1 Press “Apply” then click “Continue” in the popup window then press “OK.” Now your browser will automatically reject SSL 3.0 certificates and only accept TLS 1.0 and higher. It’s worth noting that if you launch Chrome through any other shortcut on your computer, it won’t be using this flag. Disabling SSL 3.0 in Internet Explorer Microsoft has not yet announced when they are planning to address the SSL 3.0 issue so it is best to disable it yourself by opening your “Start” menu and typing in “Internet Options.” Go to the “Advanced” tab and scroll down to the “Security” section until you see the SSL and TLS options, and then un-check the option for Use SSL 3.0, and enable TLS instead. This way you can be sure that your Internet browsers are all secure from any potential POODLE attacks. Related Posts Losing Motivation as a Designer and What You Can Do Sometimes, you just don’t want to do your work. It can be such a hassle to get up, start up the computer, fire up the software, and do what needs to be done. You feel tired and bored, having lost sight of why you chose a career in design in the first place, and you find yourself wondering whether you should just give it all up and become a dental hygienist. It can be really demoralizing to lose your motivation part of the way through a project, but what do you do if you absolutely have to get something done regardless of how you feel about it? I’m going to tell you about a technique you can use when you’re feeling burnt out and you simply can’t bear to think about taking one more step to complete that big, hairy project staring you in the face. The WannaCry Security Legacy and What’s to Come Those who were hit by the WannaCry ransomware found themselves in great pains. Their systems and data had been encrypted on them, and they would remain encrypted, unless a demand for payment, typically $300 to $600 worth of bitcoin, was met. What Is Application Shielding? Application shielding is mainly used to protect intellectual property and cut down on piracy; the techniques modify a service's application code, making it more difficult for someone to tamper with it, or to figure out how to remove digital rights locks and steal media like music or movie files. What is RAT Malware, and Why Is It So Dangerous? If you’ve ever had to call tech support for a PC, then you’re probably familiar with the magic of remote access. When remote access is enabled, authorized computers and servers can control everything that happens on your PC. They can open documents, download software, and even move the cursor around your screen in real time. The Next Big Privacy Hurdle? Teaching AI to Forget WHEN THE EUROPEAN Union enacted the General Data Protection Regulation (GDPR) a year ago, one of the most revolutionary aspects of the regulation was the “right to be forgotten”—an often-hyped and debated right, sometimes perceived as empowering individuals to request the erasure of their information on the internet, most commonly from search engines or social networks. The Ups and Downs of Being a Self-Taught Web Designer Not so long ago, web design was a brand-new industry. Because it was so new, there weren’t many opportunities to get a formal education on its fundamentals. Thus, the most direct path to becoming a professional was to teach yourself the necessary skills. That’s how my career started. I studied the source code of different websites and figured out how things worked. I experimented with Photoshop, CSS and eventually other, more challenging languages. Over the years, most of what I know has come from the process of trial and error.