How we poodle-proofed Casengo

Emily  | 

First things first: we like poodles, as long as their owners don’t resemble them too much. What we don’t like, however, is the Padding Oracle On Downgraded Legacy Encryption (aka POODLE) leak that the guys at Google disclosed last week; a vulnerability in the design of SSL version 3.0 (SSLv3).

How does SSL work? Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to help users protect their data during transfer. For private communication – like a live chat conversation – a uniquely encrypted channel is used. When you want to connect to a web page that is protected by SSL, the browser will look for the most recent SSL version. Usually, that’s a recent SSL version, which is perfectly safe.

What leak are we talking about? However, if the connection fails, the browser will automatically look for other, older SSL versions to get rocking. The leak we’re talking about is found in a totally ancient version: SSL version 3.0, nearly 18 years old. Thanks to POODLE, hackers can deliberately mess up connections, and if they get access to SSLv3, they can intercept sensitive data from online stores and other websites.

Which steps did we take? Hackers are able to mess up connections so badly that even browsers with a new SSL version – ours and probably yours – will fall back on SSLv3. That’s why we decided to disable this old version and make it unavailable for web browsers.

How does this affect you or your customer service? It most probably won’t affect you at all: most of our users won’t notice a thing, and neither will their online visitors requesting support through live chat. Our developers did some research through Google Analytics; they found out that just 0,88% of people visiting our users’ websites works with an outdated browser. Unless they upgrade their browser, these unhappy few will not be able to have a live chat conversation with you (if, that is, you enforce HTTPS). If you do get a call from a (potential) customer about live chat not working, first check which browser s/he is using. Anyone using Microsoft Internet Explorer 6 (IE6) – or an even older IE version –is advised to upgrade to the newest version of Internet Explorer (if that’s even possible), or switch to Google Chrome or Mozilla Firefox. So rest assured: this poodle will no longer bite.