No POODLE SSL vulnerability at Virtual Call Center
Google announced vulnerability of Web encryption standard SSL 3.0 in the middle of this October. Virtual Call Center made all the necessary precautions by the beginning of November.
Bodo Möller, Krzysztof Kotowicz és Thai Duong, Google security engineers stated three weeks ago that the older, but still supported, SSL 3.0 has a major vulnerability. It allows encrypted and believed to be in secret information to be exposed by an attacker with network access. People at Google have done many things since then to solve the problem. Moreover, they said thatthey would like to remove support for SSL 3.0 completely in the coming months. “POODLE (Padding Oracle On Downgraded Legacy Encryption) enables attacker to read information encrypted with this SSL version with executing man-in-the-middle attack,” explains the problem Tamas Csiszar, Virtual Call Center’s system engineer (OSCP).
A POODLE attack takes advantage of the problems in establishing encrypted connections. If an encrypted connection can’t be built, at the next try communication will use the old, vulnerable version. Developers use such protocol to help old systems that don’t support versions that are newer than SSL 3.0.
“There wasn’t too big attacking surface in Virtual Call Center system as our client program has favoured TLS standard for a long time. However, we responded quickly to save client data, and after the necessary testing, we removed support for SSL 3.0”, say Mr Csiszar, adding that the company’s employees pay attention to security updates on a daily basis. “If a new update comes up on RSS Feed, we check it instantly. In this case, we also started to manage the problem directly. We checked if there are any clients who still use SSL 3.0, and what should we do if we find one.”
The intense work had its success. There isn’t any possibility of POODLE SSL vulnerability at Virtual Call Center.