In the past few weeks – we have seen a lot of discussion going on about the POODLE vulnerability. Since a lot of StopTheHacker customers manage their own websites we would like to provide a little guidance on this matter.
A new vulnerability has been released that targets SSLv3. This vulnerability allows attackers to pad a request in order to calculate the plaintext of encryption using the SSLv3 protocol. This effectively allows an attacker to compromise the encryption of the SSLv3 protocol. Full details have been published by Google in a paper which dubs the bug POODLE.
In general, modern browsers default to modern encryption protocols (e.g., TLSv1.2). Unfortunately, it’s possible for an attacker to simulate conditions in many browsers that will cause them to fall back to SSLv3. This means that an attacker could force a downgrade to SSLv3, then any traffic exchanged over an encrypted connection using that protocol could be intercepted and read.
For more information please see this CloudFlare Blog: https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/