Browse by Topic: Security & Reliability
The POODLE SSLv3 threat
Last modified on 30 July 2015 08:27 PM

On October 14th, 2014, Google engineers disclosed a vulnerability in an older encryption protocol called SSLv3. Users of older web browsers that use this protocol exclusively, such as Internet Explorer 6, are exposed to possible "man-in-the-middle" attacks. In addition, more recent browser versions that use more modern encryption protocols such as TLS are not exempted, as these browsers may be forced to fall back to using SSLv3 by an attacker.

The good news is that StartMail's servers are protected against this vulnerability. StartMail prevents POODLE exploits from occurring by not accepting SSLv3, and only allowing newer encryption protocols, such as TLS 1.0 or higher, that are not vulnerable to this attack. StartMail's support for strong security and cryptography standards is reflected in its receiving the highest possible score (A+) from Qualys SSL Labs.

Because StartMail does not support SSL v3, you are safe from POODLE when visiting StartMail.com.

What should users do to protect themselves when visiting other sites?

If you are using an older web browser, we recommend you upgrade to the latest version, like Mozilla FirefoxChromium, or Google Chrome. These newer browsers support modern, safer encryption standards by default.

In addition, the browser should be configured to not accept SSLv3. The way to do this varies per browser. General information and instructions on how to accomplish this can be found at http://www.cnet.com/news/google-exposes-poodle-flaw-in-web-encryption/

Mozilla Firefox users can install the official Mozilla browser add-on "SSL Version Control", which disables SSLv3. For more Firefox-specific information, please see: Mozilla Security Blog - The POODLE Attack and the End of SSL 3.0 - https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/.  

Chrome/Chromium users can run their browser with the --ssl-version-min=tls1 command-line flag to disable SSLv3. Please see this link for more information on launching Chrome/Chromium with command-line flags: http://www.chromium.org/developers/how-tos/run-chromium-with-flags

If you are having trouble, you can ask a savvy friend or computer technician to upgrade the browser for you. Such services may also be offered by computer stores.

For more information on POODLE and SSLv3, please see the following links:

http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html

https://www.openssl.org/~bodo/ssl-poodle.pdf

(13 vote(s))
This article was helpful
This article was not helpful

Still haven't found the answer to your question? Click here to contact support.