Sign up to our newsletter
In an announcement eerily reminiscent of the early phases of the Heartbleed flaw that took internet security by storm earlier in the year, Google has uncovered an exploit that could allow attackers to decode the plaintext traffic of a secure connection.
Nicknamed POODLE – it’s an acronym for Padding Oracle On Downgraded Legacy Encryption – Engadget reports that the bug “allows a man-in-the-middle attacker to decrypt HTTP cookies,” on SSL 3.0. Although SSL 3.0 is around 15 years old, it is still widely used in most web browsers and as a backup on servers if modern protocols fail to connect. Worryingly, “prospective attackers can force a server to default back to SSL 3.0 for the sake of the exploit.”
The BBC estimates that SSL 3.0 is used by about 1% of web traffic, making it less severe than Heartbleed and Shellshock, but notes that “the bug could hit people using old browsers and servers that still use the protocol.”
Google states the only surefire remedy is to disable SSL 3.0 support completely, but notes that this will lead to “significant compatibility problems even today.” Instead, they recommend supporting TLS_FALLBACK_SCSV – a mechanism “that solves the problem caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0”. This function has been supported by Chrome and Google servers since February.
Mozilla responded quickly to the news, advising users to install a security add-on in Firefox that disables SSL 3.0. Firefox 34 will include the fix by default when it is released.
CNET states that to disable SSL 3.0 in Chrome “Google advises that you add this command line flag to the browser: –ssl-version-min=tls1”. For Internet Explorer 7 and newer, “you can go to Internet Options, click the Advanced tab, uncheck SSLv3 and click the OK button.”
The Guardian reports that some of the biggest websites on the internet have been responding to the vulnerability impressively quickly: “CloudFlare, which hosts and protects thousands of websites, message service Slack, search engine DuckDuckGo, Fitbit, Twitter and many others have already disabled support for SSL 3.0”
Author Alan Martin, ESET