Thanks for choosing Orange County Computer, Inc.

949-699-6619 | 8am – 5pm Monday – Friday : Saturday by Appointment

Orange County Computer INC.
  • OCC Home
  • About Us
    • Blog
    • Location
    • Testimonials
    • Partners
    • Computer Repair Warranty
  • Contact Us
    • Customer Referral Program
  • Tech Center Services
    • Desktop Repair
    • Laptop Repair Services
    • Virus Removal
    • Tech Support Services
    • Data Recovery
    • E-Waste Recycling
    • Disaster Recovery
  • Business IT Services
    • Enterprise WiFi Solutions
    • Managed Services
    • Software Licensing
    • Why Choose a Microsoft Partner
    • Software Application Development
  • Technologies
    • Disaster Recovery Solutions
    • Data Backup & Storage Solutions
    • Offsite Backup
    • Software Support
    • Virtualization
    • Firewall & Security
    • Servers
  • Web Services
    • Domain Registrar
    • Hosting Services
    • Web Design
  • OCC Home
  • About Us
    • Blog
    • Location
    • Testimonials
    • Partners
    • Computer Repair Warranty
  • Contact Us
    • Customer Referral Program
  • Tech Center Services
    • Desktop Repair
    • Laptop Repair Services
    • Virus Removal
    • Tech Support Services
    • Data Recovery
    • E-Waste Recycling
    • Disaster Recovery
  • Business IT Services
    • Enterprise WiFi Solutions
    • Managed Services
    • Software Licensing
    • Why Choose a Microsoft Partner
    • Software Application Development
  • Technologies
    • Disaster Recovery Solutions
    • Data Backup & Storage Solutions
    • Offsite Backup
    • Software Support
    • Virtualization
    • Firewall & Security
    • Servers
  • Web Services
    • Domain Registrar
    • Hosting Services
    • Web Design

SSLv3 Poodle Security Breach

Orange County Computer INC. > About Us > Blog > Blog > SSLv3 Poodle Security Breach

SSLv3 Poodle Security Breach

SSLv3 POODLE Security Vulnerability Breaks SSLv3 Secure Browsing

When you access high profile sites and services such as your bank, Twitter or Google you typically access sites using https:// or a feature called SSL  (secure sockets layer) but a new security defect could break that open. SSL or TLS (Transport Layer Security) provides encryption to protect your information from being intercepted, spied upon or modified by attackers in between you and the service provider. This widely used technology is what prevents someone sat next you in Starbucks from watching your transactions as you access your Internet banking and is also frequently used when accessing your e-mail account to stop your username and password disappearing into the hands of cyber criminals. Simply put SSL is a core component of security, privacy and trust on the Internet . Great though all that sounds unfortunately many sites still fail to adhere to best practice and many don’t implement these security features at all leaving information open to interception. Even those which do try to do the right thing can have significant setbacks due to implementation failures or security vulnerabilities. That is precisely what has happened with the new, cutely named, but very nasty POODLE vulnerability.

SSL has a number of different versions and which you support is important from a security standpoint. Backwards compatibility with older versions can get you in real trouble and you can see a wonderfully detailed breakout of the features of each version and timelines here. The SSLv3 POODLE vulnerability impacts SSL version 3 and under the right conditions would allow an attacker to gain access to information that would let them take over your account . For example, the flaw may enable an attacker to gain access to session tokens or credentials so they can hijack the identify of another user. The vulnerability, discovered by Google security researchers Thai Duong, Bodo Moller and Krzysztof Kotowiczis is fully outlined in this paper and makes interesting reading. Geeky bit: the attack is essentially an oracle padding attack in CBC (cipher block chaining which uses output of previous blocks as input to the next block processing to prevent duplicate blocks of data producing identical cipher text blocks) mode ciphers in SSLv3.

For the attack to work the attacker must be on the same wireless network (or in the path of your communications) and your client must be running Javascript (such as in a web browser) which makes the attack less all out serious than vulnerabilities like Heartbleed . This attack is effective against clients (as opposed to servers like with Heartbleed or Shellshocked) and so is of the greatest concern to users browsing on wireless hotspots where others may be listening but is sufficiently serious that Twitter has announced they have entirely disabled SSLv3 .

What you should do You may be able to force your browser to disable SSL version 3. The methods vary, but for example in Firefox you can type the special URL about:config and change the setting security.tls.version.min to 1:

Some browsers allow you to do this where others like Safari can pose quite a challenge . A more complete fix is on the way (for those that want to read more check out  TLS_FALLBACK_SCSV) but for the moment disabling it is a good move. If you want to check if your browser is vulnerable you can try https://www.ssllabs.com/ssltest/ which shows you a trendy looking poodle if you are open to the attack. Using a VPN client to protect all your network traffic on open networks will also prevent attackers launching the attack (as long as it is not an SSL VPN that uses SSLv3).

If you are a business and host services there are steps you can take to prevent your users being attacked too. Users accessing your services from open wireless networks are the most at risk . To mitigate this risk you can simply disable SSLv3 in favour of more recent standards such as TLS1, 1.1 or 1.2. Unfortunately some platforms and operating systems do not support the more recent standards. Older versions of Internet Explorer (such as the one in the older, no longer supported but still regrettably widely used Windows XP) only support SSLv3 as is the case for numerous other apps and pieces of software. If you are in the position of using software that only supports these standards you should undoubtedly look at upgrading, not just because of this vulnerability but because that software most likely has other serious defects too. If you run a web server and want to make sure you have your transport security ducks in a row you can check out this guide or you can check how your site scores using this neat tool.

This defect certainly is not another Heartbleed (as undoubtedly it will shortly be dubbed) but it is a failure in widely used technology that is a key component of your security.

If you suspect that the security of your network or data has been compromised, contact the Cyber Security Experts at Orange County Computer® so we can minimize the damage. Call our Tech Center at (949) 699-6619 or visit us online at  OrangeCountyComputer.com. We are happy to help.

15-Year-Seal_Silver

Information originally obtained James Lyne is a security researcher, general hacker type and destroyer of bad code. Follow @jameslyne on Twitter. View the story here.

Written by deborah

Deborah is the Operations Director at Orange County Computer and has been with the company since 2004.

← Caution: If You’re Considering Office 365 Read Beyond the Fine Print
Data Hijacker Holds Patient Data Hostage →

Recent News

  • AdSense Fraud Campaign: Is your site infected?
  • Looking for a Windows 10 Download? You’re Out of Luck!
  • Celebrating 25 Years as a Technology Solutions Provider!
  • The Southwest Airlines IT Meltdown
  • ‘Tis the season… to avoid holiday scams!

Contact Us

Orange County Computer, Inc.

26150 Enterprise Way, Suite 400
Lake Forest, CA 92630

949-699-6619

Recent Posts

  • AdSense Fraud Campaign: Is your site infected?

    Last fall, website security and performance specialists Sucuri reported on a mal...

  • Looking for a Windows 10 Download? You’re Out of Luck!

    On January 31st, Microsoft stopped the direct sale of Windows 10 licenses on its...

Search

    • Home
    • Site Map
    • Remote Support