Newest threat to web security: Poodle bug in SSL 3.0
After Heartbleed and Shellshock, Poodle is the third major bug discovered in web security this year. Security experts have been sent scrambling looking for patches and running threat assessments by the first two. They had just about settled when Google’s researches announced Poodle. The Poodle bug exploits a major loophole in SSL 3.0 technology. The SSL 3.0 technology is outdated and used as an alternative when other options like TLS are not available in browsers and web servers.
Even though its impact is not as severe as Heartbleed or Shellshock, it allows hackers to gain access to secure connections by hijacking your secure connection. Once they have access they can gain access to your email accounts, web hosting accounts, bank accounts, social media accounts, etc. The hack itself may be easy but the process of hijacking to setup the hack is quite complex. The hacker must intercept your connection by creating a Wi-Fi connection or have access to the Wi-Fi network you are connected to.
Discovered by Bodo Möller, Thai Duong and Krzysztof Kotowicz of Google, Poodle stands for Padding Oracle on Downgraded Legacy Encryption. The bug, detailed in their research paper is a part of the framework of SSL 3.0 or SSL v3. It is still in use but mainly by outdated software like web browsers, web servers load balancers and operating systems such as Internet Explorer 6 and Windows XP. To protect your device or computer, you must update your browser or server software to the latest version. Since the bug is in within the protocol’s framework, it cannot be fixed by a patch. The logical solution is to kill the 18 year old protocol.
Google’s suggestion for a fix was to disable the protocol on any software that still supports it. In the near future Google plans to remove support for SSL 3.0 from all its software and recommends support for TLS_FALLBACK_SCSV. Many industry giants like Apple and Twitter have already dropped support for SSL v3 and the rest will follow sooner or later. If you own a website or software that depends on the protocol, update it now or you’ll risk losing traffic because major browsers have also announced updates that will no longer support it.
The move to kill SSL 3.0 may take some time. While your software is updated, you can take steps to protect yourself by following the steps mentioned here. For more information browse to Daniel Fox Franke’s blog, he works for Akamai Technologies’ Information Security department and specializing in cryptography.