A few days ago, Google researchers alerted the world to a new Internet attack they called Poodle, which could theoretically let an attacker impersonate you on sensitive websites—Facebook, your bank, Amazon or wherever. We’ve previously covered how Poodle works, so have a look if you want more details.
The odds that you’ll run afoul of Poodle may seem low right now. The attack exploits a vulnerability in an 18-year-old security protocol called SSL 3.0 that few websites use anymore. This analysis by University of Michigan computer scientists found that only about 200 of the top million sites on the Web rely on SSL 3.0 to protect your communications with them.
But once a vulnerability like this is public, it’s only a matter of time before hackers start lining up to take advantage of it. For instance, malicious types might set up a fake Wi-Fi hotspot they could then use to intercept and rewrite the traffic between your browser and, say, your online broker in a complex scheme that would ultimately let them into your account without knowing your password.
“[W]hen using the local Starbucks or other unencrypted WiFi, you are in grave danger from this hack from hackers sitting the table next to you,” writes security expert Robert Graham.
The major browser makers all seem likely to disable support for SSL 3.0 connections, although may take them months to do so. (Mozilla promises SSL 3.0 will die in Firefox by November 25; Google says it will happen in Chrome “in the coming months“; Microsoft says only that it will “take the appropriate action” after it investigates the problem.) If you want to protect yourself in the meantime, you’ll have to do it.
Step One: Update Your Browser
If you aren’t using a modern browser (ahem, IE 6 users), it’s time to download a new version. Everyone else should make sure you’re keeping your browser up-to-date. This will ensure that you’ll get a version that’s patched against Poodle as soon as it’s available.
- In Chrome, close and reopen your browser to apply any outstanding updates, which the browser downloads automatically. Keep an eye out for new updates as they’re available; you’ll see the “hamburger” icon (the three parallel horizontal lines in the upper right-hand corner) turn green, orange or red when updates are available.
- In Firefox, ensure that the browser is set to automatically download updates by opening the Preferences option and clicking on the “Advanced” icon and the “Updates” tab, then checking “Automatically install updates.” Firefox will then prompt you to restart the browser when it’s downloaded new updates.
- In Internet Explorer, follow these instructions to turn on automatic updates (check the dropdown menu in the upper right to choose the right version of Windows first).
Step Two: Avoid Unsafe Browsing
The first and best advice is to never log into a public Wi-Fi network unless you’re absolutely sure it’s run by the coffee shop, airport or hotel you think it is. Hackers have long known that they can sucker in the unsuspecting by setting up fake but misleadingly named hotspots they can then use to plunder your Internet traffic.
But there’s more to do even if you’re on a reputable public wireless network, since your Internet traffic is still being broadcast “in the clear,” allowing hackers to “sniff” it and plan new attacks. To prevent that, use a virtual private network, or VPN, to encrypt your connection.
These setups allow you to connect securely to a trusted server that will then serve as a “home base” for your Web surfing, keeping your traffic shielded from snoops. That should frustrate most would-be hackers unless you’ve landed on an NSA watchlist (in which case all bets are off anyway). This 2012 Lifehacker guide to VPNs is a little dated, but it should be enough to get you started.
If you aren’t signed up with a VPN service, you can always set up a home VPN network you can log into from anywhere. My ReadWrite colleague Lauren Orsini published an excellent two-part guide to setting up your own home VPN using a Raspberry Pi (see here and here). You could also set up VPN software on a PC you leave running on your home network.
Step Three: Turn Off SSL 3.0
If your browser refuses to communicate using SSL 3.0, you won’t be vulnerable to Poodle. So turning it off is a smart thing to do. Be warned, though: This could break your ability to connect to older websites or related services if they rely on SSL 3.0. Such sites should be in the minority, but they presumably still exist, as it’s not clear what else might account for the fact that the ancient IE6 still accounts for 3.6% of all active desktop browsers.
This is far too complicated in Chrome—an issue that Google really ought to address. Basically, you have to launch the browser using the command-line flag –ssl-version-min=tls1, though that might be tricky unless you usually start it up via the command line. (Hint: Most people don’t. Most don’t even know what the command line is.)
See also: Don’t Fear The Command Line
You can automate that process, although the method differs depending on your computer’s operating system. This page offers instructions for Windows, Mac, Linux and Chrome OS (though you’ll have to replace the example text “–foo –bar=2″ with”–ssl-version-min=tls1″). One more warning: You’ll have to be careful if Chrome ever launches automatically when you click on a link, as it won’t apply the SSL-blocking flag if it does.
In Firefox, enter about:config in the browser bar, click through the permission box and then scroll down until you find the security.tls.version.min parameter. Double-click on it and enter “1” in the popup window.
Weirdly, this step is easiest in the much-maligned Internet Explorer. All you have to do is click on Tools->Internet options from the menu bar, then select the “Advanced” tab. Scroll down and uncheck “Use SSL 3.0,” and you’re done.
Photo by Jochen Frey