Silo closing the hole on Poodle exposure

img_2014-10-15_Ars-Technica

SECURITY

Another major vulnerability in the SSL protocol has been just been discovered, codenamed POODLE. Like the Heartbleed bug earlier this year -- this vulnerability undermines the secure HTTPS communication protocol that sits beneath all our most sensitive online transactions. With this vulnerability hackers have the ability to re-assemble the session cookie between websites and browsers that rely on the older SSLv3 version of the protocol. With the session cookie in hand, it is possible for the attacker to gain access to the victim's web account. As usual, Ars Technica does a good job of describing the vulnerability.

Silo users are automatically protected from the Poodle vulnerability that undermines HTTPS transactions

Fortunately, the majority of websites have upgraded from SSLv3, but there are still applications out there that support it, especially to enable access from older browsers like Internet Explorer 6. Different vendors, including browser companies, will be releasing updates to remove SSLv3 over time. But in the meantime, you need to take steps to make sure that your browser is configured correctly to enforce -- at a minimum -- use of TLS1.0 for HTTPS transactions. Depending on the browser, this is easier said than done. Fortunately, for users accessing sensitive sites through Silo, we automatically remove SSLv3 support to ensure that we only connect you to sites that have upgraded to TLS1.0 or higher.

Ramesh Rajagopal - Ramesh is Co-Founder and President of Authentic8. Before, he was VP Corporate Development at Postini, heading up strategic planning and business development until its acquisition by Google in 2007.

Topics: Security