We explain the Poodle SSLv3 flaw. What you need to do about Poodle, how to avoid Poodle, and why you should care. (Poodle image by Greg Westfall.)
What is Poodle bug?
You may have read about Poodle. This most recent and widely publicised online security threat is a bug in the SSLv3, the Secure Sockets Layer 3.0 cryptography protocol. In laymen’s terms, SSL 3.0 is the encryption protocol that is there to protect data passing between between computers and servers. Three Google security researchers discovered the Poodle flaw and detailed how it could be exploited to intercept data between PC and web server. And, for good measure, they called it Padding Oracle On Downgraded Legacy Encryption – Poodle, for short. So, if Poodle was exploited, your web-browsing session could be intercepted, or even taken over. In principle at least.
How big a threat is Poodle?
The good news is that Poodle is a potential threat, but not an integral flaw in SSL certificates. It affects only the SSL 3.0 protocol. So if you are reading this as a webmaster, you really don’t need to be too concerned. It’s also worth quantifying just how serious is Poodle as an end user: not all that serious, but serious enough. It is a complicated hack, but one that it is possible to exploit. And you should be particularly careful when utilising free public Wi-Fi hotspots. So this isn’t Heartbleed, but it is worth educating yourself.
How to protect yourself from the Poodle bug
First, make sure you have up-to-date internet security software running on your system. This should include antivirus, antispyware and a firewall. See all security software reviews to find the right product for you. Then, check to make sure SSL 3.0 is disabled on your browser. In Internet Explorer it is under Internet Options, Advanced Settings. The settings are similar for all the other major browsers. Good practice anyway, but make sure ‘HTTPS’ is always on the websites you visit. Especially if you are transacting money or secure data. Make sure all of your software is up to date, and change your passwords. But be particularly aware of any emails you receive asking for passwords or for you to click a link to update software. Always type out the full domain names of websites, rather than clicking links in emails. (See also: Best security software.) Matt Egan is Global Editorial Director of IDG, publisher of Tech Advisor, and a passionate technology fan who writes on subjects as diverse as smartphones, internet security, social media and Windows.