Google’s security team detailed today a new bug that takes advantage of a design flaw in SSL version 3.0, a security protocol created by Netscape in the mid 1990s. The researchers called it a Padding Oracle on Downgraded Legacy Encryption bug, or POODLE.
Although the protocol is old, [company]Google[/company] said that “nearly all browsers support it” and its available for hackers to exploit. Even though many modern-day websites use the TLS security protocol (essentially, the next-generation SSL) as their means of encrypting data for a secure network connection between a browser and a website, things can run amok if the connection goes down for some reason.
In this case, the browser tries to reestablish a link with the website through older versions of the security protocol, like SSL 3.0, which makes the connection vulnerable for an attack.
[company]CloudFlare[/company] also posted details on Poodle and described how hackers take advantage of the design flaw in SSL 3.0.
[blockquote person=”CloudFlare” attribution=”CloudFlare”]The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol.[/blockquote]
Google said that it’s possible to disable support for SSL 3.0, but doing so will impact browser/web compatibility. To address this, Google endorses the following action:
[blockquote person=”Google” attribution=”Google”]Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.[/blockquote]
The search giant said that it’s now testing features that prevent websites from reverting to using the SSL 3.0 protocol, which will result in some websites to malfunction. Google said it plans to completely remove all support for SSL 3.0 in the next couple of months.
Firefox also said today it will no longer be supporting SSL 3.0 in Firefox 34, to be released by the end of November.
Cropped image of poodle via creative commons by Greg Westall/Flickr