POODLE?

Today there is news of a vulnerability affecting a very old encryption protocol called SSLv3. SSLv3 that was released in 1996 and was a complete redesign of it's predecessor SSLv2. During it's time it saw wide support, however as encryption methods improved it was replaced with Transport Layer Security (TLS) there have been 3 versions of TLS (1.0, 1.1, and 1.2). Today, browsers no longer use SSLv3 as their primary encryption protocol. However one famous browser Internet Explorer 6 requires SSLv3. Because of the wide use of IE6 SSLv3 is still supported by 97% of encrypted websites today. Which means 97% of the encrypted websites today could now be a lot less secure.

The newewst vulnerability is called POODLE which stands for "Padding Oracle On Downgraded Legacy Encryption". POODLE is the third known vulnerability to affect SSLv3 following BEAST and CRIME. Both of which have had active exploits.

The reason for this article is to share with you what Smat Web Design has done in response to this recent news. On October 7^th in a periodic review of TLS & SSL best practices, it was decided that it was time we disable SSLv3. We proceeded to make this change to the websites we host for our clients and services we provide.

Other relevant news articles:

• Fix for critical 'POODLE' attack against SSL 3.0 could break Web for Internet Explorer 6
• SSL broken, again, in POODLE attack
• Google's Poodle affects oodles