Which SSL Reviews

SSL Security

Google Exposes Another Security Flaw, Names it POODLE

October 18, 2014 | By  

Summary

A trio of Google security researchers have discovered a major flaw in the older yet a still supported Web encryption standard SSL 3.0. According to Experts, patching the flaw is impossible and upgrading will be also be difficult.
This statement could be big boon for cyber criminals worldwide and a disaster for Internet security, considering everything Google has done to bolster the same.

SSL

POODLE Flaw

  • Older Web technologies are still menaced vulnerabilities that show how insecure they are.
  • The three Google security engineers, the discoverers of the flaw, have proved that the encryption standard Secure Socket Layer (SSL) can be circumvented by the new flaw they call POODLE.
  • POODLE is the latest security hole in SSL 3.0 making the 15-year-old encryption protocol almost impossible to use in a secure manner. This statement from Bodo Möller, Thai Duong, Krzysztof Kotowicz (the Google trio) does not sound good to Web security.
  • The Flaw allows encrypted, confidential data to be exposed by a hacker with network access. POODLE (Padding Oracle On Downgraded Legacy Encryption) is an issue because it is extensively by Web browsers and websites. Now, both my undergo re-configuration to avoid using SSL 3.0, and POODLE flaw will remain an issue as long as SSL 3.0 receives support.
  • The fact is SSL 3.0 is no longer the advanced version of Web encryption in use today.
  • But according to Möller, Web browsers and  HTTPS servers still need it in an event they confront issues in Transport Layer Security (TLS), SSL’s more advanced, less vulnerable successor.
  • The upside is that not much of the Internet relies on SSL 3.0 anymore. As per a study, it was found that only a few websites rely on SSL 3.0.

Why POODLE is a Problem?

  • The reason why POODLE is an issue is that hackers can force a Web browser to demote to SSL 3.0.
  • If either the Web browser or the Web server encounters issues connecting with TLS, websites and Web browsers will most often fall back to SSL. The issue is that hackers can pull off connection failure  forcing a website to use SSL 3.0 and exposing itself to hackers.
  • The flaw could give cyber criminals easy access to a user’s mail, bank account, social media account, and other online services.

POODLE and Other Similar Breaches

  • Security experts have compared POODLE with other widespread vulnerabilities BEAST and Firesheep. While BEAST used Java applet to break SSL/TLS security, Firesheep was a browser add-on that grabbed unencrypted communications over the Internet.
  • While encryption can defeat Firesheep , POODLE is an issue because the vulnerability lies with the encryption itself. However, the flaw only impacts a Man-In-The-Middle (MITM) situation where a hacker sneakily intercepts network traffic.
  • POODLE poses a big threat especially to legacy Web browsers such as Internet Explorer 6 that only supports SSL 3.0 and none of the advanced protocols that followed.
  • Most research analysts have said that mounting an attack using POODLE flaw is very difficult at this stage. However, it could be used as an effective spy on high-profile targets.
  • The NSA, GCHQ, Chinese, and Russian intelligence have access to Web traffic inbound and outbound of their countries, along with the resources and skills to enforce a POODLE attack.  This could pose a serious threat to many  intelligence and military establishments.

Users Responsibility and Reactions of Tech Giants

  • The best solution to prevent from being spied via SSL 3.0 is to refrain from using public wireless networks or any connection that is untrustworthy. People using public Wi-Fi are in serious danger from this flaw.
  • A successful hack would not give the attacker the actual password but would give the session cookies that could be used to access a user’s account.
  • Google and Mozilla addressed the POODLE flaw and have advised their users to disable SSL 3.0 immediately.  However, neither Apple nor Microsoft has addressed the flaw till now.
  • Twitter has disabled SSL 3.0 and has notified its users of the same. But this may break the social networking site on some Web browsers.
  • This is the third major vulnerability identified in the Internet architecture this year following the Heartbleed flaw in April and Shellshock bug detected in Unix software. And there is exists a notion that this will not be last of what we hear of POODLE.
Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL Security

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory