StartPage protects its users from 'POODLE' SSL v3 threat

[fredlaso]

The POODLE SSLv3 Threat
Last modified on 17 October 2014 05:40 PM

On October 14th, 2014, Google engineers disclosed a vulnerability in an older encryption protocol called SSLv3. Users of older web browsers that use this protocol exclusively, such as Internet Explorer 6, are exposed to possible "man-in-the-middle" attacks. In addition, more recent browser versions that use more modern encryption protocols such as TLS are not exempted, as these browsers may be forced to fall-back to using SSLv3 by an attacker.

The good news is that StartPage’s servers are protected against this vulnerability. StartPage prevents POODLE exploits from occurring by not accepting SSLv3, and only allowing newer encryption protocols, such as TLS 1.0 or higher, that are not vulnerable to this attack. StartPage's support for strong security and cryptography standards is reflected in its receiving the highest possible score (A+) from Qualys SSL Labs.

Because StartPage does not support SSL v3, you are safe from POODLE when visiting StartPage.com.

What should users do to protect themselves when visiting other sites?

If you are using an older web browser, we recommend you upgrade to the latest version, like Mozilla Firefox, Opera, Chromium, or Google Chrome. These newer browsers support modern, safer encryption standards by default.

In addition, the browser should be configured to not accept SSLv3. The way to do this varies per browser. General information and instructions on how to accomplish this can be found at http://www.cnet.com/news/google-exposes-poodle-flaw-in-web-encryption/.

Mozilla Firefox users can install the official Mozilla browser add-on "SSL Version Control", which disables SSLv3. For more Firefox-specific information, please see: Mozilla Security Blog - The POODLE Attack and the End of SSL 3.0 - https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/.

Chrome/Chromium users can run their browser with the --ssl-version-min=tls1 command-line flag to disable SSLv3. Please see this link for more information on launching Chrome/Chromium with command-line flags: http://www.chromium.org/developers/how-tos/run-chromium-with-flags

If you are having trouble, you can ask a savvy friend or computer technician to upgrade the browser for you. Such services may also be offered by computer stores.

For more information on POODLE and SSLv3, please see the following links:

http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html

https://www.openssl.org/~bodo/ssl-poodle.pdf

Note: StartPage recently changed its SSL certificate provider from GoDaddy to COMODO. If you have security software or browser extensions that alert you to this fact, please rest assured this was an intended administrative change and unrelated to POODLE.