Secure Socket Layer (SSL) is an encrypted protocol to provide secure communication over the internet. The protocol has widespread use in various applications like web browsing, e-mail and Voice over IP. It was developed by Netscape and has seen 3 versions of it being released SSL 3.0 being the latest.
Poodle attack which is the acronym for “Padding Oracle On Downgraded Legacy Encryption", is a vulnerability that SSL 3.0 has and has made serious threats to the security of the protocol. A lot of websites support SSL 3.0 for secure communications and hence are prone to Poodle attacks. To be able to exploit the attack prone SSL 3.0, the attack initiator must be able to control the client server connection and insert the code into browser.
Any website that is supporting SSLv3 is open to POODLE attack. The servers are likely subjected to down inclination in which the attacker makes the browser to connect to SSLv3. Browsers which use only a miniscule fraction of SSL 3.0 for their secure connections are impacted as due to the sheer size of the web, this means millions of transactions per day. The scale of impact may be large due to traffic volumes, but the magnitude is not as severe as most websites already have higher versions of the protocol. Till date, Firefox uses SSLv3 connections approximately 0.3% but this small percentage in real account to millions of transactions per day as the size of web is very large.
As methods to mitigate the attack, browsers are releasing more secure versions and prompting their users to upgrade. Also the current versions of the browser are disabling SSL 3.0 on both the client and the server. Web services such as Cloud Flare are also dropping support of SSL 3.0 for Poodle attack prevention. Web operators are evaluating their traffic and disabling the SSL 3.0 protocol whilst the dependency on legacy clients is reducing. Mozilla earlier announced that SSLv3 will be disabled by default in Firefox 34, which got released on 25th Nov’2014. PayPal recently mailed their customers that they will no longer be able to accept payments as they are facing issues with SSLv3 and going through process to mitigate themselves from this attack, declaring 12th Jan’2015 as deadline for merchants.
Green Bird Media, a San Diego Web Design company, with A+ BBB ranking has been specializing in Drupal based secure website development and has complete cognition of this susceptibility and is advising the current customers on repercussions of this vulnerability so please contact us for any help.