Poodle attacks SSL3 encryption
By Dave Bunting, Shopper Editor
Our communication between our computer, tablet or smart phone and a web site is transmitted through, relayed by, many, often dozens of computers, as it travels through the maze of links called the “web.”
Every one of those computers must read every digit of our communication in order to retransmit each digit on ahead. Also anyone with access to any of those relay computers could also read every digit of our communication.
Encryption codes the digits of our communication into different, apparently meaningless gibberish digits, but gibberish that only our intended receiver can decode, gibberish such that all those intermediate web relay computers along the way cannot read, cannot decode, cannot understand.
SSL (Secure Socket Layer) is the encryption method that can be used by our computers, tablets and smartphones and web sites computers.
However, SSL encryption is used only when we are communicating with those web sites that have the “s” after the “http”, thus “https”, at the beginning of their URL address.
Until recently, many web sites used no encryption, they are just “http,” so our communication to and from them was readable by them and by anyone else who could see it en route.
Because more and more criminals are now trying to get our private info as we send it, internet leaders recently recommended that all web sites use SSL, all be https, requiring our computers/tablets/ smartphones to encrypt or encode communication to and from them. All of our computers/tablets/ smartphones are built capable of this SSL encoding.
And in response to the recommendation, most web sites now use SSL, are https.
SSL has an important second benefit: it also enables the computers at both ends of the communication to verify definitely the identity of the computer at the other end.
There are several ways of doing the SSL encryption, SSL3 being the oldest and weakest now in use. Many web sites still use old SSL3.
Now criminals wanting our private info like credit card numbers have found a way– called “Poodle”– of reading our communication if it is encrypted using old SSL3.
All communication now, if it is to be secure, must use the SSL method with at least the next higher security level, which is called “TSL1” or simply “TSL.”
So all of our computers, tablets and smart phones, if our communication is to be secure, must now require the web site to which we’re communicating to use at least TSL1 security. Most, but unfortunately not all, of the web sites with which we communicate are capable of TSL1.
Thus the recommendations in this article:
https://support.startpage.com/index.php?/Knowledgebase/Article/View/980/0/the-poodle-sslv3-threat
Note: The information in this linked article is provided to us by our friends at StartPage.com, the search engine that is very much more secure, protects our privacy very much more than Google, Bing, Yahoo, etc., because it makes no record of our search terms or sites we open. The other search engines keep extensive records of all of our search terms and sites we ever visit, sometimes possibly including such info as our credit card number or social security number, then sell that information about us. Those records are also then available to governments or criminals who gain access to them by legal or criminal means.
We always strongly recommend that our readers who value their privacy change the search engine in their web browser from Google, Bing, etc. to StartPage.com. See how in your browser at: Internet Explorer, Chrome, FireFox or Safari (more difficult).