Are you vulnerable to POODLE? What you need to know about the latest vulnerability

Written on 23 October, 2014 by Georgia Leaker
Categories NewsTags security

What is Poodle, and how does it affect me?

The POODLE exploit (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability recently identified within the secure encryption protocol SSLv3.

SSLv3 is a browser connection commonly used for HTTPS communications. The most common types of data that are sent over HTTPS connections include sensitive information, such as login credentials for websites, payment information and email.

When exploited, this vulnerability allows the decryption of secure connections to plain text, which is readable by others. This is performed using a man-in-the-middle attack, a form of active eavesdropping which involves the attacker making independent connections with two users who are communicating directly with one another through a private connection. However, the entire conversation is controlled by the attacker, who is relaying information between the two and has the capability to interject new information, if desired.

In layman’s terms, when your website is exploited by the POODLE vulnerability, it allows any secure communications between your web browser and the web server to be captured and read by others.

How does it work?

If a request by a web browser fails to connect over HTTPS via a more recent SSL version such as TLS v1.0-1.2, the browser might then connect via SSL 3.0. This is protocol within which the vulnerability lies and where the exploit is performed.

What is Netregistry doing to protect its customers from Poodle?

Netregistry will be disabling SSL 3.0 on our Cloud infrastructure and our cPanel infrastructure. This will prevent the POODLE vulnerability from being exploited from any websites on our shared hosting environments.

However, please note that some older browser versions might not be able to connect to any sites on our shared environments via HTTPS. This means that some visitors to your websites may receive connection failures when attempting to browse your sites via HTTPS.

For example, a user may visit an online store and attempt to make a purchase, which uses HTTPS to make the connection. If the user is using an old browser version that don’t support the TLS 1.2 (Transport Layer Security) protocol, then this user will receive a connection error and will not be able to continue with their purchase.

What can I do?

The POODLE vulnerability will be disabled on Netregistry's server environment on the 29th of October, 2014. No action is required at your end.

However, in order to avoid the possibility of being effected when browsing the internet on websites that are hosted externally to Netregistry and are still vulnerable, we strongly recommend that our customers update their web browser of choice to the latest version available, as these will support TLS 1.2.

How can I tell if my browser is up to date?

Click here for a table of all browser versions and whether or not they support TLS 1.2. If your preferred browser does not support it, we recommend updating or switching to a browser that does support it.