Trending:
Bash bug & Heartbleed
Information Centre
  • START
  • SHELLSHOCK
  • HEARTBLEED
  • POODLE
  • NEWS
  • STUFF
  • CONTACT

What about POODLE attacks?


If your server still supports SSLv3, then chances are, you're impacting both servers and clients, so it's pretty important stuff. Here are some resources and tests for POODLE vulnerabilities:

Picture
  • A bit of historical context
  • Chris Burgess has some good resources here
  • Mozilla Security: The End of SSLv3
  • Ubuntu and other workarounds
  • Test your browser
  • Test your server
  • Test someone else's server
  • Who is vulnerable?
  • How to disable SSLv3 browser support
  • How to disable SSLv3 server support
  • Microsoft advisory
  • The long term solution: TLS SCSV


Latest News: Some Cisco products turn out to be vulnerable to POODLE attacks. 

New: Just when you thought it was taken care of by removing SSLv3 in favour of TLS, researchers discover that some TLS implementations leave some major sites open to the POODLE attack.
TLS's padding is a subset of SSLv3's padding so, technically, you could use an SSLv3 decoding function with TLS and it would still work fine. It wouldn't check the padding bytes but that wouldn't cause any problems in normal operation. However, if an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections. - Adam Langley
Another quality update courtesy of Qualys Labs:
The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute–no need to downgrade modern clients down to SSL 3 first, TLS 1.2 will do just fine. The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack.- Ivan Ristic

Update: Are Trusted Canadian Websites Vulnerable to POODLE?

In "Poodle Bug Returns, Bites Big Bank Sites" Brian Krebs reports that some US banks are vulnerable to POODLE attack, at least as determined using the online scanning tool provided by Qualys. We did the same for the major Canadian banks and found that they all got a B and are not vulnerable to POODLE attacks, which is a far cry from the Fs earned by some of their U.S. counterparts. Hooray for relative security! Click the links to see all the reports.
Picture
TD EasyWeb
BMO Bank of Montreal
CIBC Online
Royal Bank


Tangerine
Scotiabank
TD AmeriTrade
TD WebBroker

Improved since Dec 13, 2014
Privacy Commissioner of Canada (Complaint Registration  Previous score: F)
Telus Customer Portal (Previous score: F)

Service Canada Job Bank (Previous score: C)
EHealth Ontario Portal (Previous score: C)


Picture


PayTickets.ca
Bell Canada Customer Portal


Picture
You'll never guess who got an F!
ServiceOntario Drivers License Renewal
 (Last check: Jan 21)
Equifax Canada Credit & Identity Monitoring (Last check: Jan 21)

Picture
The highest mark we've seen so far goes to:

Sony Canada Online Store

Industry Canada (Business Registrations & Incorporation Services - Up from F on Dec 13, 2014)
Canada Revenue Agency (Up from C on Dec 13, 2014)


Got a question, suggestion or correction? For site updates or comments email Soundbites@SecurityandPrivacy.ca or tweet / follow @datarisk

POODLE on Power Systems

A number of parties have mentioned that midrange systems and the IBM i platform in particular are largely invulnerable to POODLEs. This is not entirely true, as IBM has released a number of advisories to raise awareness of the risk to various products and services:
  • IBM Domino impact and Interim fixes
  • WebSphere Application Server
  • CICS Explorer and Transaction Gateway
  • Lotus Notes Traveler

  • IBM Knowledge Center POODLE page
  • IBM Product Security incident Response POODLE Advisories
Dec 9 Update:
  • IBM Issues More POODLE Patches, Warns Not to Use SSLv3 
  • IBM and ISVs Fight POODLE Vulnerability in SSL 3.0
IBM i shops that continue to use SSLv3 to encrypt their communications are susceptible to the POODLE security vulnerability and could have their data compromised, IBM warned today in a security bulletin. IBM also issued new security patches that disable SSLv3 in IBM i's Java runtime. While IBM recommends moving to the newer TLS protocol, many IBM i applications still require SSLv3 and will likely break when it's disabled, IBM warns. - Alex Woodie

Picture

Powered by SecurityandPrivacy.ca