When most people hear POODLE, they think of man’s best friend. Well, actually, most men would probably go for something manlier, like a Pit Bull or Rottweiler, but you get the idea. Regardless, there’s a new POODLE on the block that isn’t the sweet, innocent pup that we’ve all become familiar with. It is a critical security vulnerability that has impacted the SSL 3.0 (v3).
On October 14th, 2014 the "Padding Oracle On Downgraded Legacy Encryption", or POODLE vulnerability, was released. This vulnerability is a flaw in the SSL 3.0 (v3) protocol and affects every implementation of SSL v3. POODLE, when exploited, allows an attacker to steal information over time by altering communications between the SSL client and the server (also known as a "Man in the Middle" attack, or "MITM"), or to decrypt part of the confidential message. Although this vulnerability is relatively difficult to exploit, all entities, including BluePay, that use SSL v3 encryption need to take action to protect the confidentiality of data.
To mitigate this vulnerability, one approach is to modify all external websites so that they no longer accept connections via browsers that rely on SSL v3. This will require end-users to have to connect via a browser that supports TLS 1.0 or better. For the most part, this will affect Windows XP and Server 2003 users who use the version of the Internet Explorer browser bundled with the OS (Internet Explorer version 6, IE6, or earlier). Some users of Internet Explorer version 7 (IE7) may be affected as well, if they have not patched to enable TSL v1.0 support.
Affected Windows XP end-users are encouraged to upgrade their computer's operating system to Windows 7 or better. Affected IE7 end-users should patch the application to support TLS 1.0 or better. Alternatively, end-users may choose to install an alternative browser such as Firefox, Chrome, or Opera.
Linux and Apple OS (Mac) users should already have TLS 1.0 capable browsers installed on their systems; however, if Linux and Mac users experience difficulties connecting to desired website after SSL v3 has been disabled, it is recommended that they patch their operating system or install a current version of Firefox, Chrome, or Opera browsers.
For more information on the vulnerability, please go to: