POODLE is the latest Internet threat that targets our need to prefer secure (aka https) connections over unsecured (aka http) ones. POODLE (Padding Oracle On Downgraded Legacy Encryption) specifically targets a weakness in the SSL (Secure Sockets Layer) 3.0 protocol by exploiting a hard-coded flaw within SSL 3.0 to gain access to your data through browser cookies!
Sure SSL3 is obsolete and has been long superseded by the TLS (Transport Layer Security) protocol. But it still lives on on legacy systems or because of system admins too lazy to upgrade.
But the exploit author’s task is made so much easier as there are effectively only 3 core browser technologies — Internet Explorer, Google Chrome and Firefox — available. So the exploit only needs to use the aforementioned SSL flaw to attack via the browser.
Still unconvinced your browser in its present state is blemish-free? Open Poodletest.com and see if it is or isn’t yourself. And if you do upgrade your browser to a more recent build, test anyway.
Luckily you can temporarily inoculate your browser to block any attacks. Here’s how:
Edit the shortcut that launches Chrome by adding a flag to the end of the Shortcut path
- Select the icon used to launch Chrome then right-click the icon to select Properties.
- Under the Shortcut tab, find the box labeled “Target” and insert “–ssl-version-min=tls1” immediately after chrome.exe” (note the space between .exe” and –ssl-) so the revised statement reads “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –ssl-version-min=tls1 (Note: If your original Chrome path doesn’t start and end with quotes, don’t add one after chrome.exe)
The same add-on string works equally well with other Chrome-based browsers like Opera, SlimJet, Safari, etc.
Mozilla Firefox: A patched build is coming Mozilla recommends using the SSL Version Control 0.2 add-on now.
- Click the settings (gear) icon to open Internet options
- Then select the Advanced tab.
- Scroll down to the Security category and look for “Use SSL 3.0“
- Uncheck this box then click OK to save the change
- Finally relaunch IE
(NOTE: Network admins can apply this change to PCs on the local network via the Windows’ Group policy. Go to the Internet Explorer settings and modify the Turn off encryption support object (Windows Components\Internet Explorer\Internet Control Panel\Advanced Page).
Remember that after implementing the patch, some SSL-protected websites may not work properly. So don’t apply it to all your browsers. Best if you kept one browser (like a Portable version) to use on SSL websites that don’t work right on your patched primary browser. In this portable version disable cookies, cache and history. And even when prompted don’t let the browser save anything. Better safe than sorry, eh!
(Post content based on Windows Secrets Newsletter • Issue 454 • 2014-10-23 free edition)