For years, when I have advised clients to use encryption (i.e. HTTPS) to transmit sensitive information in their web browsers, email clients, and other programs, I have generally referred to “SSL”, which stands for Secure Sockets Layer (SSL). However, that protocol has long since been eclipsed by a more secure one, called TLS, which stands for Transport Layer Security. There was no harm in referring to them interchangeably, as both protocols added similar reasonably decent encryption security on communications. That’s no longer the case. Google researchers have now discovered a critical security flaw in SSL. SSL can be easily compromised. SSL is dead.
See the following article:
This POODLE bites: exploiting the SSL 3.0 fallback
Now, most of the time, if you see “https://” in the web address in your browser, your browser will have had a discussion with the server about what kind of security is supported and will negotiate the best security available – usually TLS instead of SSL. This has been the case for many years. However, hackers have ways of tricking your browser and email clients to “downgrade” and use the older SSL protocol. Now that SSL has a known vulnerability, that’s very bad.
Over the coming months, browsers and other programs will likely be patched to no longer use SSL and only establish connections via TLS. For example, according to the Mozilla Firefox blog, “SSLv3 will be disabled by default in Firefox 34, which will be released on Nov. 25. … This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3.” But, until that time, your communications may be vulnerable. So, my advice is to change your browser settings as advised in this article: https://zmap.io/sslv3/browsers.html
Email programs may suffer from the same issue, but I have not yet found any similar online warnings, configuration instructions, or patches for email programs such as Outlook (Exchange) and Mac Mail. There is an Outlook setting to restrict POP/SMTP emails to TLS (in the More Settings area of your account configuration).
In the meantime, if you do not use browser-based email, but instead use stand-alone programs such as Outlook, Mac Mail, or Thunderbird, consider not having those programs open when using public or unencrypted wireless connections, or else using a virtual private network (VPN) until more clarity emerges regarding the vulnerability status of those software packages.
Share this post: