What is POODLE
The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows an attacker to obtain data transferred with the SSL 3.0 protocol. An attacker acting as a man in the middle can downgrade a TLS connection to SSL 3.0 and then use a padding-oracle attack to access sensitive information such as cookies. Since stealing a user’s cookies will allow an attacker to login as that user, they are the most likely target of a POODLE attack.
This vulnerability can be fixed either on the server or in the client.
Site owners can protect their users against POODLE attacks by disabling TLS fallback or SSL 3.0 (Note that disabling SSL 3.0 will break the site for IE6 users):
- For Apache:
SSLProtocol all -SSLv2 -SSLv3
- For Nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Browsers are rolling out fixes but for users the quickest fix is to disable SSL 3.0:
- In Firefox this is done by going to about:config and setting
security.tls.version.min to 1
- Chrome users have to use the command line flag
For more technical information I would recommend this article by ImperialViolet.