This week, the existence of a major vulnerability in the SSLv3 protocol was announced by Google.
The Padding Oracle On Downgraded Legacy Encryption bug, also known as POODLE and (somewhat erroneously) Poodlebleed, allowed for the decryption of secure connections into plaintext, which meant that compromised ISPs or Wifi Hotspots could extract data from secure HTTPS connections.
In real terms, POODLE leaked information that hackers could potentially abuse to decrypt web communications.
Although SSLv3 is now 15 years old, it is still used by many browsers and servers today, and is often used as a backup protocol when browsers fail to connect to a newer version of SSL. This meant that POODLE quickly became a huge issue for many users. Coming so quickly in the wake of both Heartbleed and Shellshock, POODLE sent providers scrambling to understand the scope of the problem and how best to resolve it.
SurfEasy, like so many other sites and apps, uses SSLv3, and so our developers moved quickly to fix the issue. We disabled SSLv3 on our servers in favor of TLSv1, which is the successor to SSLv3, and therefore bypassed the vulnerability entirely within a couple of hours of its detection. SurfEasy is now unaffected by the bug.
Of course, when any major security vulnerability rears its ugly head, it’s a good idea to change your passwords, check your accounts and in this case, to disable SSLv3 in your own browser, if you can. While Firefox 34 will disable the protocol itself, IE or Chrome users can find information here.
Keep yourself protected with SurfEasy. Get started today at surfeasy.com/register.