Understanding POODLE

What is POODLE?

To understand POODLE, you need to know a bit about SSL and TLS. They are two cryptographic protocols that were developed to help protect your important web communications. When you go to a website and you see HTTPS:// before the web address, you’re using SSL/TLS. SSL (SecureSocket Layer) and TLS (Transport Security Layer) are two very different protocols, but most people just lump them together and call them SSL. SSL was actually replaced by the TLS protocol around ten years ago as the de facto standard for cryptography, yet SSL is still in wide use. That’s what makes POODLE dangerous.

When you visit a website, the computer that serves you the page (web server) is capable of several levels of cryptography security, anywhere from TLSv1.2, the most recent and secure protocol, to SSLv3, the older and less secure protocol. This allows your browser and the web server to be able to connect with the same protocol so they can talk securely. This is the fundamental way that web browsers and servers try to prevent man-in-the-middle attacks, like POODLE.

What Does POODLE Do?

POODLE tries to force the connection between your web browser and the server to downgrade  to SSLv3. If it does that, the attacker can get the plain text information from the communication. That means that they can access cookies which are often used to store information, some of which could be personal and sensitive in nature. What the attacker does with that information is anybody’s guess, but it is never anything good.

On the upside, the POODLE attack is not the easiest way for an attacker to get your info. It may take hundreds, even thousands, of tries to get the POODLE attack to work on someone. So it is something to be concerned about, however it isn’t necessarily as bad as the recent Heartbleed issue.

Is Cart66 Affected by POODLE?

Cart66 itself is not vulnerable to POODLE. We are always paying close attention to our systems to assure that we are providing our customers with the highest degree of security possible. Most modern shopping carts do not use this old technology in their solutions-in general, POODLE will only affect solutions that are older and use SSLv3. If you have any questions regarding this change, please Cart66 econtact support.