Should you worry about POODLE bites?
Published October 15th, 2014 at 7:38 AM EDT , modified October 15th, 2014 at 7:38 AM EDT
Yesterday, Google revealed a vulnerability that one of their researchers found in SSL3, a technology used to secure many network connections, including those used by secure websites. This bug – which is being called “POODLE” – could allow for an attacker to gain access to encrypted transmissions sent between the browser and a secure site. The question many Mac users will be asking this morning is: how much should we worry?
Unfortunately, it appears that the latest version of Safari – the browser used by the majority of Mac users – is vulnerable to the POODLE bug. This can be easily determined by visiting the Poodle Test site. If the site shows the image of a poodle, your browser is vulnerable.
When I tested with Safari 7.1 in Mac OS X 10.9.5, I got the poodle, indicating that this version of Safari is vulnerable to attack. I also tested the latest versions of Chrome (38.0.2125.104) and Firefox (33.0). Of these, Chrome was also vulnerable, while Firefox was not.
So, given that two of the “big three” browsers Mac users are likely to use are vulnerable, including the most commonly-used one, this must be pretty serious right? Well, yes and no. The most important thing to understand is that this vulnerability is only a danger in certain situations. In order to exploit this bug, an attacker must use a “man-in-the-middle” attack.
A man-in-the-middle attack is a situation in which the attacker occupies a privileged position between the machine being attacked and the server that machine is trying to communicate with. The most typical case would be one where an attacker sets up a malicious wifi network and, being in control of the network, is able to exploit the POODLE bug. Another possibility would involve an attacker being able to take over your home network somehow, such as through a wireless router that was improperly secured.
Thus, if you’re on a good network with properly-secured network hardware, you really have nothing to worry about. There is no man in the middle, thus there can be no attack. However, any time you venture out onto some other network – such as a public network at a coffee shop, restaurant, public library, hotel, airport, etc – you must exercise caution. The network you join could be a fake network set up to look like the real one, or it could be run by an untrustworthy person, and you could end up attacked.
I’ve always cautioned people against using secure sites on public wifi networks anyway. There has always been the possibility of a vulnerable site allowing an attacker to gain access to your “secure” connection, so avoiding use of secure sites on public wifi has always been a good idea. However, this is even more important now, given the POODLE vulnerability. Do not log in to any secure sites while on public wifi!
If you absolutely must use secure sites on unsecured public networks, at the moment, the safest browser to use for such purposes is Firefox, but make sure you have updated to the latest version. (I’m not sure how vulnerable older versions of Firefox might be.)
As far as your home or office network is concerned, make sure that your wireless router is not set to allow remote administration and is secured with a good password. Also make sure to update the router’s firmware, or consider installing an alternate third-party firmware, such as DD-WRT. If you aren’t sure how to do these things, contact the manufacturer of your router for assistance, or consider hiring a reputable local technician to help you.