Another vulnerability, similar to Heartbleed, has been found in the extensively used Secure Sockets Layer (SSL) 3.0 cryptographic protocol, which can allow attackers to decode contents of encrypted website connections.
Google’s security team revealed that the universally used web encryption standard SSL 3.0 has a crucial security vulnerability that could be used to steal sensitive data. The defect influences website security by pursuing the Secure layer version 3, including Firefox, Chrome and Internet Explorer.
Researchers have named the attack “POODLE”, which stands for Padding Oracle On Downgraded Legacy Encryption. It allows an attacker to execute man-in-the-middle attack, in order to decode HTTP cookies. The POODLE attack can make a connection “fallback” to SSL 3.0, where it becomes possible to steal cookies, which are supposed to store passwords, website preferences and even personal information.
This security hole has been discovered by three Google engineers – Bodo Moller, Thai Duong and Krzysztof Kotowicz and the discovery has made the 15 year old protocol absolutely impossible to use.
Bodo Moller wrote in a blog post, “This vulnerability allows the plaintext of secure connections to be calculated by a network attacker, I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).”
POODLE (PDF) is a severe threat, as it is used by web browsers as well as websites and it will remain severe as long as SSL 3.0 is backed. Therefore, web browsers as well as websites should be reconfigured to avoid using SSL 3.0.
While SSL 3.0 is not the most progressive form of Web encryption in use, secure HTTP servers and web browsers still require it, in case they come across flaws in Transport Layer Security (TLS), which is SSL’s more advanced and less sensitive layer of security.
“If a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serve side interoperability bugs.”
There is nothing a user can do, to guard against the POODLE attack, same as the case of Shellshock and Heartbleed. But, companies all around the world are releasing patches to their embedded devices and servers, disallowing the use of SSl 3.0.
The vulnerability was discovered in September, 2014, just a couple of months after SSL was brought into the limelight, because of the Heartbleed incident. As soon as the discovery was made, Google alerted hardware and software vendors. They recommended disarming SSL 3.0, until the problem got fixed. If an end user’s browser supports SSL 3.0, they should disable its support or should use tools that can support Transport Layer Security Signalling Cipher Suite Value (TLS_FALLBACK_SCSV), as they help in preventing downgrade attacks.
POODLE lies within the codes of SSL, which is why commonly used browsers are affected. In response to the problem, Google has declared that it is cleaning off SSL 3.0 support from the Chrome browser and in the coming months, will remove SSL 3.0 support entirely from all its products.