Fraud Alerts

The POODLE Attack and the End of SSL 3.0

Summary: SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users' private information. Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the "Secure Sockets Layer" (SSL) or "Transport Layer Security" (TLS). Issue In late September, a team at Google discovered a serious vulnerability in SSL 3.0 that can be exploited to steal certain confidential information, such as cookies. This vulnerability, known as "POODLE", is similar to the BEAST attack. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user's private account data on a website. Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail. Impact The POODLE attack can be used against any browser or website that supports SSLv3. This affects all current browsers and most websites. Though almost all websites allow connections with SSLv3 to support old browsers, it is rarely used, since there are very few browsers that don't support newer versions of TLS. Additional Test Sights:

Click here to view our Previous Fraud Alerts