As far as I know, there isn't any widespread attack taking advantage of POODLE yet.
I believe that full protection in Firefox will come when they change the default setting to disable SSLv3 in FF34 which will be released 11/25/2014. Or you can turn it off yourself now.
If you want to disable SSLv3 in Internet Explorer (which is easy) or Firefox (pretty easy) or Chrome (involves modifying the shortcut you use to launch it), there are detailed instructions
here (scroll down a bit). Note that if you are still using IE6, you also need to enable TLS 1.0 because it's not enabled by default.
No one should still be using SSLv3 anymore (it was developed by Netscape in 1996 and later replaced by TLS) but it's possible some ancient website still is. Here's a comment from one of the SANS ISC articles
Quote:
Oops! Turning-off SSLV3 in Internet Explorer 11 (under Windows 7 Professional) causes the "online court services" web-site of one very-western Canadian Attorney-General branch of that provincial government to generate a message that SSLV3 needs to be turned-on before one can search for civil court proceedings or disputed parking tickets or criminal court proceedings.
Sigh.
|
If you want a more detailed POODLE test, try the Qualys SSLLabs page at
https://www.ssllabs.com/ssltest/viewMyClient.html . It shows the ciphers involved, which is important because POODLE is a problem for SSLv3 only with a particular type of cipher.
For more technical information:
SSL 3 is dead, killed by the POODLE attack
POODLE: Turning off SSLv3 for various servers and client
SSLv3 POODLE Vulnerability Official Release