Today, a new vulnerability named POODLE (Padding Oracle On Downgraded Legacy Encryption) was discovered by Google security researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz. Instead of targeting the server directly as Heartbleed or ShellShock did, this exploit directly targets the clients that are visiting the sites.
How is the attack executed?
Individual clients are affected due to backwards compatibility built into most software. By default, browser such as Firefox, Chrome, and Internet Explorer will attempt to connect to the server using the highest TLS protocol version available, but if interrupted, will try a lower version which can include SSL 3.0. When this is done, an attacker can potentially compromise the traffic and gain information that would otherwise be encrypted.
What changes do I need to make?
Shared and Reseller hosting
We have disabled SSL 3.0 within all shared hosting environments to resolve the issue.
VPS and Dedicated hosting
If you are on a VPS or dedicated server, your server is not automatically patched. If you have root access, you may perform the steps outlined in our article on disabling SSL 3.0. If you do not have root access, or are not comfortable performing these steps, you may submit a verified ticket to technical support and they will be happy to make those changes for you.
How can I protect myself from vulnerable servers?
Eventually, all software will be updated to remove the backward compatibility issue, but until that is done, you will need to apply workarounds to vulnerable software. While this exploit primarily applies to individuals passing information over a public network, it is always a good idea to safegard yourself at all times.
Vulnerable software and workarounds
Web browsers
Software | Vulnerable | Workaround |
---|---|---|
Firefox | Yes | Set Firefox minimum TLS version |
Chrome | Yes | Set Chrome minimum TLS version |
Safari | Yes | Workaround unavailable at this time |
Internet Explorer | Yes | Set Internet Explorer minimum TLS version |