Filepicker not susceptible to POODLE SSL 3.0 bug

Filepicker is not susceptible to the SSL 3.0 bug known as POODLE. Here’s why:

Earlier this week the Google Security Team published details of a vulnerability in a specific version of SSL 3.0 (RFC6101) which they have deemed obsolete and insecure.

This bug can be exploited by a man in the middle attack, where an attacker can force a web browser to fall back to the older version of SSL and intercept any traffic exchanged over the connection.

The vulnerability is described as a POODLE attack, or Padding Oracle On Downgraded Legacy Encryption. This is enabled by TLS clients attempting it’s first handshake request with the highest protocol version, and then falling back on older versions for subsequent requests if it fails.

Once we were aware of the bug, we modified our configurations to deny any attempts to connect with this version of SSL.

And here’s further preventative measures to make sure you don’t inadvertently raise the issue with an unpatched client:

Users who are using PhantomJS may have seen this issue as it uses the older version of SSL by default, so if you are using PhantomJS with Filepicker, it will break. You can change this in the config:

Command Line: —ssl-protocol=tlsv1
JSON: “sslProtocol”: “tlsv1”

Some browsers like Google Chrome have started testing changes to disable fallback to SSL 3.0.

For more information on this, see the official Security Advisory (PDF)

And now a poodle because it’s a poodle:

Read More →