POODLE Attack: Fix After Browser Update

TL;DR

Your browser update didn’t fully fix POODLE? This guide shows you how to disable SSLv3 and check your configuration. It’s a bit technical, but important for security.

What is POODLE?

POODLE (Padding Oracle On Downgraded Legacy Encryption) is an old vulnerability that allows attackers to decrypt secure web traffic. Modern browsers should be protected, but sometimes older settings remain enabled.

Step-by-step fix

1. Check if SSLv3 is still enabled in your browser. The easiest way depends on your browser:
   • Chrome: Type chrome://flags into the address bar and search for ‘SSLv3’. If it’s enabled, disable it. Restart Chrome.
   • Firefox: Type about:config into the address bar (accept the risk!). Search for ‘security.tls.version.min’. Make sure its value is at least 3 (for TLS 1.2) or higher. If it’s lower, change it to 3 and restart Firefox.
   • Edge: Edge generally handles this automatically with updates but check the Internet Options settings as described in step 2.
2. Check Internet Options (Windows). This affects browsers built on the Windows engine (like older versions of Edge):
   • Open Internet Options (search for it in the Start Menu).
   • Go to the Advanced tab.
   • Scroll down to the Security section.
   • Uncheck “Use SSLv3”.
   • Uncheck “Use TLS 1.0” if you are confident your sites support TLS 1.2 or higher (recommended).
   • Click Apply and then OK. Restart your browser.
3. Test your SSL/TLS configuration. Use an online tool to verify:
   • SSL Labs SSL Server Test: This is a comprehensive test.
   • TestSSL.sh: A command-line tool (see step 4).
4. (Advanced) Use TestSSL.sh from the command line. If you’re comfortable with the command line:

   testssl.sh --version

   This will show you which SSL/TLS versions are supported by a server. Replace example.com with the website you want to test:

   testssl.sh example.com

   Look for lines indicating support for TLS 1.2 and higher, and *no* support for SSLv3.

5. Clear your browser cache. Sometimes old data can interfere with the new settings.
6. Restart your computer. A full restart ensures all changes are applied.

Important Notes

• Disabling SSLv3 is generally safe, but very old websites might not work correctly.
• Always keep your browser and operating system up to date for the latest security patches.
• If you manage a website, ensure it supports TLS 1.2 or higher and disable SSLv3 on your server configuration.