QuoteA security vulnerability in SSL 3.0 has been uncovered by Bodo Möller (http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html) and two other Google employees that attackers can exploit to calculate the plaintext of secure connections.
SSL 3.0 is an old protocol and most Internet servers use the newer TLS 1.0, TLS 1.1 or TLS 1.2 protocols instead. Client and server usually agree to use the latest protocol version during connections during protocol handshake but since TLS is backwards compatible with SSL 3.0, it can happen that SSL 3.0 is being used instead.
During the first handshake attempt the highest supported protocol version is offered but if this handshake fails, earlier protocol versions are offered instead.
An attacker controlling the network between the client and server could interfere with the handshake attempt so that SSL 3.0 is used instead of TLS.
Instructions are available at the source on how to protect your web browser. See SSL 3.0 vulnerability discovered. Find out how to protect yourself (http://www.ghacks.net/2014/10/15/ssl-3-0-vulnerability-discovered-find-out-how-to-protect-yourself/?_m=3n.0038.1397.os0ao065y0.1g2g). Note, however, that the link to test the Protocols includes the caveat, "This test reliably detects only the highest supported protocol." Thus, it reliably detects TLS 1.2, but will not reliably detect if SSL3 is disabled. https://www.ssllabs.com/ssltest/viewMyClient.html
https://www.ssllabs.com/ssltest/viewMyClient.html has been updated and now correctly shows "No" for SSL 3.
I have disabled 3.0 in my IE with no problems noted - yet.
FF 33:
Hmmm, seems to be more than just 3.0.
https://www.us-cert.gov/ncas/current-activity/2014/10/16/OpenSSL-Patches-Four-Vulnerabilities
Enable the MS FixIt available here:
https://support.microsoft.com/kb/3009008
FAQ - you generally don't have to undo them as next Patch Tuesday.
Do folks running Safari on a Mac need to be concerned with this?
I ran the above test(?) [Windows 7, Pale Moon] using the link that Corrine provided and everything seems to be OK.
Is it still necessary to run the MS FixIt?
Irrespective of Browser choice - if running a Windows O/S, you need the FixIt (http://blogs.technet.com/b/msrc/archive/2014/10/29/security-advisory-3009008-released.aspx) in place, ASAP.
Bad dog: Redmond's new IE tool KILLS POODLE with one shot (http://www.theregister.co.uk/2014/10/29/microsoft_poodle_fixit_for_ie/)
Quote from: siljaline on November 06, 2014, 03:39:21 AM
Irrespective of Browser choice - if running a Windows O/S, you need the FixIt (http://blogs.technet.com/b/msrc/archive/2014/10/29/security-advisory-3009008-released.aspx) in place, ASAP.
Thanks. Now fixed.
Most welcome. Leave the MS FixIt in-place until MS tells us otherwise.
You have to under stand what is going in a encryption vulnerability.
When you go to buy something on-line your connection should be encrypted
If the site is malware infected it can tell your browser to use the lowest encryption say SSl 3
which has been hacked, So the malware infecter will get your credit card info.
If you have an update browser the lowest encrypted it uses will not have been hacked.
This can cause a compatibility problem if a site uses only hacked encryption.
So it does not matter if you run windows,apple,or Linux.