Google Announces Major SSL Vulnerability Called “POODLE”
On Tuesday, three Google researchers discovered yet another security bug that involves SSL, the security protocol the internet uses for encryption and security. This new vulnerability could allow hackers to take over accounts for email, banking and other services by stealing “cookie” files from your internet cache.
The announcement of “POODLE”, which stands for Padding Oracle On Downloaded Legacy Encryption, forced browser developers and server software developers to recommend users disable SSL 3.0; a 15-year old encryption standard. SSL 3.0 has since been replaced by TLS 1.0 and TLS 1.2, however there is still cause for concern as most modern TLS implementations are still backward compatible with SSL 3.0.
This is the third time this year that security researchers have found vulnerabilities in commonly used web security technology. Last April, the “Heartbleed” bug was uncovered in OpenSSL and just last month the “Shellshock” vulnerability was discovered in pieces of Unix software called Bash.
How Bad Is It, And How Can You Protect Yourself?
“If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6,” said Tal Klein, vice president with cloud security firm Adallom. Google reported that disabling SSL 3.0 support is enough to protect yourself, but that could cause serious compatibility issues with web applications. Google announced support for TLS_FALLBACK_SCSV, which blocks SSL 3.0 from being used when you retry a failed connection. Google has supported TLS_FALLBACK_SCSV since February and is testing updates today that will disable fallback to SSL 3.0. Google also said it plans to cut all support for SSL 3.0 from all of its products.
Although the POODLE threat is severe, the best way to prevent the vulnerability is by upgrading to a newer version of your web browser. Google Chrome, Mozilla Firefox, and Opera all have auto update options, so users are able to quickly receive updates. Mozilla Firefox, Internet Explorer (Microsoft), and Apple’s Safari are all expected to support TLS_FALLBACK_SCSV and drop support for SSL 3.0.
Websites that have compatibility issues when support for SSL 3.0 is stopped will need to update their code immediately to modern standards.
You can check to see if a website is vulnerable here
Microsoft as also released a Security Advisory with instructions on how to disable SSL 3.0 in Group Policy and Internet Explorer.