Web browser and server software are vulnerable to the Poodle bug. Attackers can exploit the framework of SSL 3.0 to intercept encrypted information and gain access to email, bank accounts, etc. It has been established that the vulnerability is so deeply rooted in SSL 3.0 that it cannot be fixed by a patch. All software like Mozilla Firefox, Google Chrome, Safari and Internet Explorer are vulnerable. The only solution to secure software that support it is to completely stop using SSL 3.0 and use TLS only.
Poodle, as detailed in this security advisory is short for Padding Oracle On Downloaded Legacy Encryption. Discovered by Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz it was announced in Google’s security blog. Most web browsers still support SSL 3.0 and allow access to the legacy protocol if other options are not working. Attackers can exploit this method to access and hack browser clients or server software.
“If either side supports only SSL 3.0, then all hope is gone, and a serious update required to avoid insecure encryption,” they write. “If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability.”
Major companies like Apple and Twitter have already killed support for SSL 3.0 and others have no option but to follow suit. Google whose engineers discovered the threat has announced support for TLS_FALLBACK_SCSV to prevent access to SSL 3.0 when a failed connection is retried. It also hopes to update all its client software and remove support for SSL 3.0 completely in the coming months.
Poodle may also signal the end of Internet Explorer 6 and Windows XP as websites that drop support for SSL 3.0 may no longer be compatible with the aging browser and operating system. Websites that still depend on SSL 3.0 only have to update to modern standards immediately. It is only a matter of time when most servers and client software will drop support for SSL v3.
Heartbleed, Shellshock and now Poodle, this seems to be the year of uncovering major bugs in major web technologies. The Heartbleed bug exploited a vulnerability in OpenSSL while the Shellshock bug exploited Bash – a part of Unix software’s core. Even though Poodle is not a threat as big as Heartbleed or Shellshock, it is still a massive loophole waiting to be exploited.
To learn more about Poodle visit this Akamai Security Researcher’s blog.
For a step by step guide to disable SSL 3.0 in your browser visit this link.