POODLE - security update

Monday 20th October 2014

What is POODLE?

Poodle is the name of the vulnerability discovered by three researchers at Google. The vulnerability affects the way the SSL encryption happens on sites using HTTPS (i.e. banks, twitter, Google, some of our Moodle sites...etc)

Why is it a threat?

When a web server and a web browser talk to one another, and they talk over SSL (i.e. it’s encrypted) they negotiate how strong/weak that encryption can be in the first part of that connection (the SSL handshake). 

SSLv3 is a very old protocol and can be hacked with a man-in-the-middle attack.  However, it's possible for an attacker to simulate conditions in many browsers that will cause them to fall back to SSLv3. The risk from this vulnerability is that if an attacker could force a downgrade to SSLv3 then any traffic exchanged over an encrypted connection using that protocol could be intercepted and read.

What is ULCC doing?

We are updating our web-servers to no longer talk to web-browsers with SSLv3, in this case we won’t permit our web-servers to negotiate to communicate with SSLv3.

When is this happening?

We plan to start 21 October, with these changes being rolled out progressively to all our customers

What do you need to know?

  • The main thing is that customers should update their web browsers – there are two parts to the threat – servers and browsers. We strongly encourage you to upgrade your web browsers to the latest version.
  • The risk is not significant but there is a vulnerability
  • ULCC is updating all its web-servers where HTTPS is being used
  • There won't be any down time for this change (i.e. it’s largely invisible)
  • If customers have end-users with very old browsers they will need to upgrade their browser. (This is because some older browsers will only support SSLv3), eg. Internet Explorer on XP
  • Most modern browsers will continue to work fine, but may need an upgrade anyway (Chrome, Firefox)

Will it affect your end-users?

Yes and No...

  • No – the web-server won’t have any downtime to apply this change
  • Yes – if they have a really old browser/system they may need to upgrade to access the site.