A while ago we received an email from Amazon stating that someone had recently tried to access one or more MRIC videos that are hosted on S3 using a browser that is configured to use SSLv3.
To give you some perspective on this…SSLv3 was introduced in 1996. It was replaced by TLS in 1999.
We are also told that the most recent browser that is configured to use SSLv3 is IE 6, which was replaced by IE7 in 2006.
All this means that someone is using a very old browser. Normally we would assume that all MRIC members are at least active enough online to have browsers that don’t date back to 2006, but we did get the message, so decided to let you in on this, in case you are affected…
My understanding of all this is quite limited, but in essence, what happened is that about a year ago they discovered that hackers were using an attack which they call POODLE (standing for Padding Oracle on Downgraded Legacy Exception).
When data is sent to a server and is encrypted using SSLv3, it is divided into blocks. There have to be a certain number of blocks, and if the transmission doesn’t have the correct number, there is padding added. Using a method which is quite involved, a hacker can figure out the code in the padding, and this enables him to impersonate his victim. He can then access the victim’s online accounts.
It is not an easy thing to do, so the chances of it happening to any one person are small. Even so, Amazon has decided to discontinue support of the SSLv3 altogether.
So, what does all this mean to you, fair MRIC member?
This is going to happen on May 20, 2015. So, if you try to access any of our videos on or after that date and are unable to do so, the first thing you need to do is make sure your browser is up-to-date. If it is, please open a support ticket and send Anne a description of what you are experiencing.
We have been assured that the players we are using are not an issue and that if anyone is having trouble it means that their browser is outdated.
If you are a geeky-type and need a better explanation, you might start with this video:
SSLv3 Poodle Vulnerability (CVE-2014-3566): Description and High-Level Mechanics
It seems to give a relatively thorough explanation and uses very few 5-dollar words.
[Footer-Blog-Posts-Join-Now]