What you need to know about Poodle is that when you connect to a secure server aka https there are several protocols and versions of said protocols available to create the secure connection. Secure Socket Layer (SSL) was the first, it was created by Netscape. [Side note it’s part of why they were giving their browser away they wanted to make money selling the SSL server to businesses so that you could have secure transactions over the internet, basically before 1995 all connections to web servers were insecure.] They started with SSL v2, v1 was internal only and never released to the public. Within a year there were a lot flaws discovered and in 1996 they released SSL v3. Also to feed into your Illuminati vision of the internet SSL 3.0 draft was release by the Internet Engineering Task Force in a Request for Comments http://tools.ietf.org/html/rfc6101 The RCF are essentially the guides use by developers to implement the protocols.
In 1999 they came up with a newer protocol Transport Security Layer (TLS) So starting at this point newer browsers would first ask it the server supported TLS v1 if it didn’t then it would revert to SSL v3 (which is weaker) As TLS 1.1 and 1.2 came out this trend would continue. Where you’d start off with the best protocol and then go back and forth until you found one you both supported. This was done because a lot people don’t update their browsers or servers.
Now that you have the background. Some researchers at Google discovered a big flaw in SSL v3 which a lot of sites kept around, why you may ask? Because of motherfuckin’ Internet Explorer 6, it only supported SSL v3.
So the danger is that if the server supports SSL v3 your traffic can be sniffed. The responsibility is on server owners to stop supporting SSL v3 _but_ you can also, usually, force your browser to not accept SSL v3.
You know the email signature that you often see something along the lines of:
“Disclaimer: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this e-mail from your system. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.”
It is complete bullshit and you should treat it as such. If you’re sending confidential information in an unencrypted manner you are goddamn negligent and it’s not my fault you don’t understand the technology you are using. Could you imagine if you put the same disclaimer at the end of phone messages or conversations in general?
Well apparently the some of the employees at Goldman Sachs aren’t very tech savvy and have used what I imagine is their immense legal department, shit tons of cash and market influence to convince Google to literally delete a message out of someone’s inbox.
This sets a horrible precedent for Gmail users as Google is now willing to delete messages from people’s inboxes without their knowledge.
If you misaddress an email the protocol should be to send a follow up message saying “Hey, I fucked up and sent you a message I shouldn’t have, it contains information that I’d rather not release, would you be so kind as to ignore/delete it and as an apology I’ll buy you a fancy dinner.”
Today I encountered two security fails.
1) When chatting with Sprint customer support they need your account PIN to update your records. After the conversation is over they email your transcript with your PIN sent in the clear.
2) When signing up to pay a travel fee to gain entry to a South American country they confirm your signup by sending you your username and password in the clear.
If you use an iPhone or iPad update it to the latest version of iOS which came out a couple of days ago.
If you use Mac OS X (laptop), use Chrome or Firefox to browse the web until an update is released.
For the long version, I’m going to make the assumption that you have a technical background:
A bug was recently discovered in Mac OS X 10.9 that means the signing chain for an SSL/TLS certificate isn’t verified. This makes a man-in-the-middle attack possible. This is certainly big news and should be patched as quickly as possible the exploit requires the attacker to jump through a lot of hoops to exploit it. They’d have to hijack your DNS and have site that look similar enough to the real site to prompt you put in your username/password. If you’re on your home network this probably isn’t the case if you’re on public wifi it’s more likely but would involve someone first having to hack the router at the cafe and redirect it to poisoned DNS servers and have a site(s) up and running that would convince you put in your username/password, but if you’re concerned about privacy on unknown networks you are using a VPN like Private Internet Access anyway right?
FWIW this code was likely discovered because the core of Mac OS X (Darwin) is open source and the code is verifiable.
UPDATE: Apple has released an update for Mac OS X install this and all will be well.