SSL 3.0 POODLE Vulnerability Patch Update

SSL 3.0 POODLE Update
SSL 3.0 POODLE Update

Since Google announced the problem with POODLE (Padding Oracle On Downgraded Legacy Encryption,) last Monday, a lot of people have been busy trying to make sure that the vulnerability is patched one way or another. We thought it would be a good idea to give you a roundup of some of the great coverage available.

  • POODLE vulnerability hastens the death of SSL 3.0 at the Tech Republic was published last Friday, but it’s a good rundown of the entire situation if you need to get caught up quickly. However, it’s only attracted two comments from people linking to websites. Still, a good overview of what was known last week.
  • Apple Patches OS X Mavericks for POODLE SSL Flaw at eWeek was also published last week. This is a good overview of how quickly Apple sprang into action. They’ve been plagued with problems recently, but they do have an active eye on security around the internet and take quick action when appropriate.
  • Are POODLE Security Fears Barking Up the Wrong Tree? at CIO Today was published last Friday, but it takes a look at some of the long lasting effects of the POODLE vulnerability. Jennifer LeClaire’s big takeaway? This advice from Poul Wann, a security specialist at Secunia, “We encourage all users to disable SSL v3 support in all products where possible and e.g., utilize TLS v1.2 instead.”
  • POODLE’s bark is bigger than its bite by Tony Bradley at PC World was also published at the end of last week as a sort of wrap up of some of the coverage that spread quickly online starting last Monday, October 13, 2014 when Google first announced the vulnerability. This write-up is a good one to send a non-techie in your life that is asking you about POODLE attacks – if such a person exists in your life.
  • How To Protect Yourself Against The Internet “Poodle” Attack at Read Write is another article about the POODLE vulnerability aimed toward non-tech savvy people. Sometimes it’s interesting to look at how the same topic is written about by publishers trying to reach two different audiences. It’s cute how they turned the acronym into a lowercase “Poodle” in quotes. Am I right?
  • POODLE Gets a Muzzle from OpenSSL at Infosecurity Magazine wins praise for the best (or worst) clever headline about POODLE attacks against SSL 3.0. The big takeaway from this article is advice from Jean Taggart, senior security researcher at Malwarebytes Labs, “Although POODLE is a vulnerability in an older version of SSL, and may not be as bad as Shellshock or Heartbleed, anything which can cause supposedly secure data to be intercepted should be taken seriously,” he said in an emailed comment. “This is known as a cypher suite rollback attack and allows communications to be intercepted.”

While it’s interesting to see how different publications have handled the story, at the end of the day, POODLE is something you need to take seriously. You need to take action. If you have any questions about POODLE, SSL 3.0, TLS 1.2 or any other security related topic, leave a comment below and let us know. We love interacting with our readers as we aim to make Info.SSL.com the place to go for internet security news and views. Thanks.