Google Discloses New SSL Web Encryption Vulnerability ‘POODLE’

Media Division | October 16, 2014

While the internet has not panicked Heartbleed-levels yet, Google’s announcement of the vulnerability discovered in an older version of SSL that’s responsible for keeping your online activity protected, is disconcerting.

The bug is called ‘POODLE’, according to a statement on Google’s security blog

“Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.”

POODLE stands for Padding Oracle On Downgraded Legacy Encryption, and it exploits a vulnerability that could give hackers access to sensitive credentials of your online account. Any site you connect to via secure https connection through your web browser is at risk. Hackers could decrypt and read sensitive information for any website you connect to via https.

Bodo Möller, Google security researcher, noted that disabling SSL 3.0 support or CBC-mode ciphers with SSL 3.0 would be enough to address the issue but it would cause compatibility problems. Therefore, the recommended response is to support TLS_FALLBACK_SCSV.

The mechanism solves the problem caused by retrying failed connections which would prevent an attacker from forcing browsers to go back to SSL 3.0. Möller added Google’s servers and Chrome browser have supported TLS_FALLBACK_SCSV since February which shows it can be used without compatibility issues. Also, they will begin testing Chrome with modifications that disable the fallback to SSL 3.0.

“Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0,” he stated in a blog post.

“It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”

The attack would take place when a hacker is posing as man-in-the-middle on the same wireless network and your system is running a web browser/ Javascript. This makes it unsafe to connect to https websites via public WiFi networks. Users can test if they are vulnerable or the sites they are visiting are vulnerable via this URL: https://www.poodletest.com/.

Making yourself secure against the vulnerability

Multiple sites are disabling SSL 3.0, which may leave users of unpatched or older browsers without any access to HTTPs, but these problems should affect a minority of total products. TLS came into inception 15 years ago and itself is supported in most modern browsers – SSL 3.0 made sense back in the millennium but has outlived its usefulness. While nowhere the size of Heartbleed bug, it is a significant concern, since most browsers fall back to SSL 3.0 under the right conditions.

At the moment, the Chrome browser can be set to avoid SSL 3.0 by the command line and if you directly launch the executable. Mac users can follow these instructions:

• Close out all Chrome browsers
• Launch Applications > Utilities > Terminal
• Copy and paste: /Applications/Google Chrome.app/Contents/MacOS/Google Chrome –args –ssl-version-min=tls1
• Hit return. Now you’ll be prompted with Chrome browser without an active SSL v3.0

Firefox can be configured to avoid SSL 3.0 by entering ‘about:config’ into the address bar, searching for ‘security.enable’ > setting ‘security.enable_ssl3’ to false. IE can be told to disable SSL 3.0 via setting the flag in the ‘Advanced tab’ of Internet Options (IE 6.0 is the last browser to only support SSL 3.0).

Until a fix is released, you’re recommended to avoid connecting to https websites via public WiFi and, if it is necessary, check the website first to make sure it has been patched.

MEDIA DIVISION
Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.