How To Protect Yourself From The POODLE Bug

toggle-button

 

In recent months, security bugs with names such as Heartbleed and Shellshock have been causing problems for millions of computers worldwide.  The latest such bug has been named POODLE, and is the result of a security weakness in an obsolete version of SSL that is still supported by most web browers.

SSL is the technology that encrypts data on confidential web pages such as password entry screens and financial data.  By exploiting the POODLE bug, hackers can gain access to private data, although it's quite difficult to do and attacks are not widespread.

If you're worried about this latest bug, head to https://www.ssllabs.com/ssltest/viewMyClient.html for an instant test that will tell you whether your web browser is vulnerable.  If it is, you'll need to disable SSL v3 in your browser.  Details on how to do so can be found at https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol and are easy to follow.

 

 

A poodle yesterday

Please rate this article: 

Your rating: None
3.9375
Average: 3.9 (16 votes)
toggle-button

Comments

Is Linux and Firefox on Linux susceptible to the poodle bug?

Thanks for this, very clear and useful.

1. I think some people are confused because you can check both your browser(s) and your ISP/Server: as I understand it, if you can get your browser straight, it doesn't matter about the server – open to correction on this point.

2. Should we not make similar amendments to stop downgrades from TLS1.2 to TLS1.1 and 1.0, as Adam Langley suggests they are also risky, and my version of Firefox shows both as switched on ? (https://www.imperialviolet.org/2014/10/14/poodle.html)

Rob: Appreciate your many vital PC and software articles. :)

Thank you much!
Alan

I went to sslabs - browser vulnerable.
Followed directions or disabling SSL v#.
Relaunched browser. Still vulnerable.

Went to Poodle Test. Not vulnerable.

Removed the disabling command on Chrome.
Went back to Poodle Test. Not vulnerable.

So which is correct?

You have to clear your browser cache between tests or they will not be reliable. Probably using Ctrl-F5 will work as well.

I am confused.

In https://wiki.apache.org/tomcat/Security/POODLE we see:
"On-line testing tools
Test your browser here:
https://www.poodletest.com/
Test your server here:
https://www.ssllabs.com/ssltest/"

In the second I receive the info that my browser (Chrome) is unsafe.

On the other, that it is safe.

Cheers from Rio,
Roger

You have to clear your browser cache between tests or they will not be reliable. Probably using Ctrl-F5 will work as well.

Roger,

What do you mean, "On the other, that it is safe"? Of the three websites you listed, only one of them can test your browser: https://www.poodletest.com/. That one says your Chrome browser is unsafe; it IS unsafe.

The first URL you list, https://wiki.apache.org/tomcat/Security/POODLE, is an information page, much like this one. It doesn't test browsers.
The third URL you list, https://www.ssllabs.com/ssltest checks websites. It doesn't check browsers either.

So it sounds like you DO need to fix your Chrome browser to make it safe. Go to the website in the article above to learn how to fix Chrome (https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol). Just page down until you find the information.

Bruce:

There are two tests recommended in the site I cited.
The first one is the same given in this article. It syas I am vulnerable.
The other one says I am not.
That's why I got confused.

Thanks for caring.

Thanks Rob! Useful info.