Google details new “Poodle” bug, making browsers susceptible to hacking

Google Poodle - generic

Google’s security team detailed today a new bug that takes advantage of a design flaw in SSL version 3.0, a security protocol created by Netscape in the mid 1990s. The researchers called it a Padding Oracle on Downgraded Legacy Encryption bug, or POODLE.

Although the protocol is old, Google said that “nearly all browsers support it” and its available for hackers to exploit. Even though many modern-day websites use the TLS security protocol (essentially, the next-generation SSL) as their means of encrypting data for a secure network connection between a browser and a website, things can run amok if the connection goes down for some reason.

In this case, the browser tries to reestablish a link with the website through older versions of the security protocol, like SSL 3.0, which makes the connection vulnerable for an attack.

CloudFlare also posted details on Poodle and described how hackers take advantage of the design flaw in SSL 3.0.

From CloudFlare:

The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol.

CloudFlare

Google said that it’s possible to disable support for SSL 3.0, but doing so will impact browser/web compatibility. To address this, Google endorses the following action:

Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

The search giant said that it’s now testing features that prevent websites from reverting to using the SSL 3.0 protocol, which will result in some websites to malfunction. Google said it plans to completely remove all support for SSL 3.0 in the next couple of months.

Firefox also said today it will no longer be supporting SSL 3.0 in Firefox 34, to be released by the end of November.

Cropped image of poodle via creative commons by Greg Westall/Flickr

loading

Comments have been disabled for this post