Fixing Lightroom Problems Caused by the POODLE Security Vulnerability
No Poodles Here (beauty is certainly in the eye of the beholder) At a gallery in Carmel California, in 2000 -- Carmel, California, United States -- Copyright 2000 Jeffrey Friedl,
Canon PowerShot S20 @ 6mm — 1/20 sec, f/2.9, ISO 62 — map & image datanearby photos
No Poodles Here
(wow, beauty is certainly in the eye of the beholder)
At a gallery in Carmel California, in 2000

A security weakness dubbed POODLE has recently been discovered in how internet-connected applications make secure connections, and this is having an increasingly-detrimental impact on Lightroom. Thankfully, it's easy enough to fix for most folks, and this post tells you how.

POODLE manifests itself in that certain kinds of secure connections are no longer quite as secure as they're supposed to be, so until you fix this for your Internet-connected applications, your data may be at risk. But the secondary problem is that, until fixed on your system, your Internet-connected applications like Lightroom may experience seemingly random network errors as more and more remote sites, in an effort to protect their users' data, completely disable support for the insecure protocol.

(A tertiary problem is that folks running into these networking problems while using my Lightroom plugins blame the plugin and inundate me with bug reports.)

How to fix for Mac OS X:

Install Apple's latest security update (which you should be doing anyway). That's it. You're done.

How to fix for Windows:

If you use any of my Lightroom plugins, the easiest way to fix it is to upgrade to the latest version of the plugin. As of versions that I released yesterday, all my plugins do a one-time check to see whether you're vulnerable, and if so, pop up a dialog that offers to fix it for you:

Just click on the [fix now] button and the plugin will fix the problem (disable SSL support in Internet Options, and enable TLS support.).

If you don't use any of my plugins, or if you didn't fix it the one time the dialog (perhaps unexpectedly) popped up, you can use my free my System Information plugin to check/fix your system any time:

The [how to fix] button brings you to the same dialog shown earlier, offering to fix it immediately for you.

In either case, the plugin fixes applications like Internet Explorer and Lightroom that use the base Windows connection library. Some third-party browsers do their own networking, so must be fixed separately. If you have custom browsers on Windows, see this page. (That page also explains how to do the base fix the plugins do, in case you don't want to have the plugins do it for you.)

All 3 comments so far, oldest first...

Thanks for the note about Poodle.

— comment by Tom in SF on October 20th, 2014 at 11:20pm JST (2 years, 7 months ago) comment permalink

From Rockport tx

Thanks for the info just fixed it using the sys info plug inn.
I am moving to an ssd on Wednesday with a clean win7 install.
any recommendations to avoid the “POODLE” problem?
If not I’ll just run your plug inn.

I’m not sure whether the default settings on Win7 are safe, but it’s easy enough to check Internet Settings to see whether SSL is enabled. Or just run the plugin… —Jeffrey

— comment by ed Pouso on October 21st, 2014 at 3:41pm JST (2 years, 7 months ago) comment permalink

Hi Jeff! Thank you for this great information. I also have a plugin that some of our users occasionally have trouble with due to TLS issues. Would you be willing to share the code snippet for how you are checking for proper TLS support? Then we could pop-up our own note similar to the one you have and tell our users what the trouble is. Thanks!

Here you go. —Jeffrey

— comment by Adam Ellis on September 27th, 2016 at 12:25am JST (7 months, 28 days ago) comment permalink
Leave a comment...

All comments are invisible to others until Jeffrey approves them.

Please mention what part of the world you're writing from, if you don't mind. It's always interesting to see where people are visiting from.

You can use basic HTML; be sure to close tags properly.

Subscribe without commenting