POODLE SSL 3.0 Vulnerability
Announce POODLE SSL 3.0 Vulnerability. POODLE -Padding Oracle On Downgraded Legacy Encryption- vulnerability exist in SSL 3.0 as published in CVE-2014-3556
POODLE is flaw in browsers handing encryption- by negotiate down to SSL 3.0 attackers can alter padding data at end of block cipher in ways forces slow data leak. Many cipher suites in SSL 3.0 have already been abandoned as are insecure due to small key sizes and support have already removed from many browsers.
POODLE vulnerability allow attacker to exploit designs of SSL 3.0 to decrypt sensitive information including secret session cookies -can hijack sessions for user accounts- Because exploit is not fixed problem via patching is best to avoid having any use of SSL 3.0
How to fix
- Stop using browser which have support for SSL 3.0 -standard was replaced by TLS 1.0 in 1999-
- Few browsers have TLS_FALLBACK_SCSV for older browsers but recommend use newer browser
- Start using browser that use TLS 1.0 or higher- SSL 3.0 will be disabled default in Firefox 34 which will be released in November 2014 and Chrome already support SCSV and will remove SSL 3.0 support soon
- Make sure any servers no longer support use of SSL 3.0