The POODLE vulnerability and AdminProject

It was published on Twitter and Google+ already few days back, that we changed some background mechanisms which are responsible for encrypting everything that goes in or out with AdminProject. The problem was discovered by Google team and published on October 14th on the Security Blog

Basically here’s what the trouble is: SSL (Secure Socket Layer) is a security mechanism used for years by many pages. Every SSL-enabled page establishes an encrypted tunnel between your browser and the server, so even if someone would be able to see what you are sending or receiving, it’d look like a stream of random characters. The trouble is that SSL (specifically SSL 3.0) is 18 years old, outdated and not used anymore, almost by no one. Well, except Internet Explorer 6.0 which should be abandoned years ago. This specific version was updated several times and now much more secure TLS is used, But, due to compatibility reasons, SSL 3.0 was still supported by many servers, including AdminProject server. If you REALLY want to know all the details, they are here

The problem is related to web servers and their configuration. Newly discovered POODLE bug allows malicious user to force fallback to SSL 3.0 and then try to steal “secure” cookies or other tokens used during encrypted communication.

To make sure this will never happen on the AdminProject, we decided to remove SSL 3.0 from accepted encryption schemes, so your data is secure.

The only way which you could be affected, is when trying to access AdminProject using Internet Explorer 6.0, but again – it is a very old, buggy and generally not recommended browser, which we no longer support. Please upgrade to latest possible Internet Explorer, Firefox, Chrome or Safari. 

To test your browser against SSL 3.0 vulnerability, you can use this page:
https://www.poodletest.com 

To test a server (any SSL enabled server, not just AP), you can use this:
https://www.tinfoilsecurity.com/poodle 

 

Comments are closed.