What to do about Poodle (Part 2)

You thought chihuahuas were bad

Like a yapping dog on the heels of your dinner guests, POODLE follows a few other recently announced security issues. Its scope of impact makes it unique among vulnerabilities because it has potential implications for a lot of people, Internet-wide. We covered the basics in a previous post. Now we’ve got some more detailed information to share.

POODLE exposes a flaw in a really old version of the technology SSL certificates use/used called SSL 3.0. The vast majority of the Internet – browsers, servers, etc. – have since moved to another technology, TLS, but support for SSL 3.0 remained widespread. Because of that, there are two separate elements to consider: What POODLE means to you as the owner of a website or server admin; and what it means to you as an Internet user.

Server admins

Though this action is only strictly necessary if your server hosts sites secured by an SSL certificate, you should remove SSL 3.0 support from your server. We have documentation for you to do that here.

Website owners

As a website owner, you need to be concerned with POODLE only if your website uses an SSL certificate. If it doesn’t, nothing’s changed and there’s nothing to worry about.

If your site does use an SSL on a website we administer (i.e. shared hosting, Website Builder, Managed Hosting/Assisted Service Plan servers), we are disabling SSL 3.0 on your account.

The impact of this change is that customers visiting your site using nearly antique machines (Windows XP and Internet Explorer 6) will not see secure content on your site. Don’t worry, though, this is a small fraction of a percent of traffic our customers see.

All Internet users (yes, you)

To protect yourself from POODLE, there are a few things you should do:

If you’re using Windows XP and Internet Explorer 6, upgrade to a modern browser ASAP. If you download the latest version of IE, Firefox, or Google Chrome, you’ll be much more secure.

Disable 3.0 (the vulnerable component) support in your browser. Giving credit where it’s due, the team at zmap.io has documentation on doing that here.

What’s GoDaddy doing?

We’re disabling SSL 3.0 support on our own websites to ensure our customers remain as secure as possible.

If you’ve got any POODLE-related info to share, we’d love to hear from you in the comments below.

Learn about the four types of SSL certificates available.

Wildcard SSL Certificate
Extended Validation SSL Certificate
SAN SSL Certificate
Organization Validation SSL Certificate

Image by: fototastisch via Compfight cc