November 4, 2014
How to Protect Yourself From the POODLE SSL Vulnerability
There’s a new, major Internet security vulnerability that you need to be aware of. It’s called POODLE, and it essentially allows hackers to intercept encrypted data sent from your Web browser (e.g., Internet Explorer) to secure websites (your bank, email account, etc.).
POODLE is an attack against SSLv3, a security protocol that has been around for close to two decades. SSL was upgraded and replaced by a more secure protocol known as TLS in 1999, but because they didn’t want to cut off users who were running extremely outdated browsers, many important websites still allow for SSL-secured sessions on their secure pages.
What Do You Need to Do?
As a user, the easiest way to protect yourself from POODLE is to turn off support for SSLv3 in your browser. For most users, this fix involves getting into your browser’s settings menu and unclicking a checkbox. (Google Chrome users actually have to cut and paste a snippet of code, but it’s still not terribly difficult.) The links below provide official directions and discussion from each browser manufacturer as to how to disable SSLv3 in their product(s).
For those who are less technical, sites such as DisableSSL3.com and ZMap have slightly more user-friendly walkthroughs of this process.*
NOTE: There are still sites on the Internet that do not support the more secure TLS option and that only use SSL security. Disabling SSLv3 in your browser will cause these sites not to load. Here’s a list of the most popular webpages that do not currently support TLS security.
You should also contact any service providers whose websites you access frequently to ensure they support TLS and that they are planning to drop support for SSLv3 completely. For your information, Shift4 does support TLS and defaults to the highest security settings supported by your browser. We have already removed support for SSLv3 from our public-facing testing/certification environment and will be removing it from DOLLARS ON THE NET®, Shift4.com, MyPortal, i4Go®, IT’S YOUR CARD®, and all other Shift4-owned services and domains in the next few weeks. Thanks to the redundant nature of our systems, these updates should not affect your ability to process transactions.
In the unlikely scenario that you experience any service issues, our world-class Customer Support representatives are available 24/7/365 to assist you. Don’t hesitate to contact us at 702.597.2480 (option 2) or [email protected].
*At the time of publication, our examinations of these sites did not find any malware or misinformation. However, due to the ever-changing nature of the Internet, Shift4 cannot be held liable for the information contained on these pages