The POODLE Vulnerability and How to Stay Safe


Earlier this October, the POODLE vulnerability was discovered by a team of security experts at Google. The attack allows cybercriminals to steal plaintext information, including authentication cookies, from HTTPS connections. This type of information would allow the hacker to access a person’s online accounts without a password.

Despite all the attention it has received, the vulnerability is not a particularly threatening one. To be attacked, you must be running JavaScript in your browser – everyone needs this to browse many mainstream sites – and the attacker has to be on the same network as you, for example, be using the public Wi-Fi at the same coffee shop as you.

POODLE also only affects the outdated SSLv3 protocol, used to encrypt communications between a browser and a website, or between a user’s email client and mail server. It’s not as serious as the recent ‘Heartbleed’ and ‘Shellshock’ vulnerabilities and many sites, including all DalPay and Snorasson Holdings operated websites, have already disabled SSLv3 support and so are not affected by the vulnerability.

If Heartbleed and Shellshock (both of which our systems have been patched against) rated a 10 on the threat scale, then POODLE rates a 5. Heartbleed is a severe vulnerability in the widely-used OpenSSL, which is supposed to secure our browsing, not expose it, while Shellshock targeted the similarly common Bash. POODLE, in comparison, is benign.

In general you can rely on websites to do the responsible thing to protect you by disabling SSLv3 at their end, as we and many other leading Internet sites have already done. Browser developers are already working on new releases that will remove SSLv3 support transparently; you should be protected automatically in the near future as those new browser releases are pushed out. You can also manually disable SSLv3 in your browser now by following these instructions.

Should You be Worried?

With the Heartbleed, Shellshock, and now POODLE vulnerabilities so well known that they’ve almost become household names, you could be forgiven for thinking that 2014 has been an especially bad year for cyber security. But in reality, the number of new vulnerabilities discovered so far this year has been lower than the two years prior.

The difference is that these latest vulnerabilities have received an undue amount of attention as a result of a new naming trend among security experts. Following the lead of malware researchers (Zeus, Pony, etc.), security experts have begun choosing catchy names for newly discovered threats, as opposed to purely technical names. Not surprising, catchier-named vulnerabilities such as POODLE are more frequently reported on.

E-commerce and cyber security are always evolving and, as in all technologies, there will always be vulnerabilities to be exploited. But 2014 is setting a new record for payment volumes around the world, while the number of newly-discovered threats is the lowest in years.

Whatever the name of the threat, security experts at DalPay and other leading organisations are better prepared than ever to catch and prevent these attacks. Cybercrime will always be around, but we have the controls in place to identify new threats and apply the necessary patches, using vulnerability scanning, penetration testing and the most up-to-date software and operating systems. You can always rest easy using DalPay.