Call now! (ID:220229)+44-20-3695-1294
HomeBlogNew SSL Vulnerability Called Poodle Discovered By Google Experts

New SSL Vulnerability Called Poodle Discovered By Google Experts

Another SSL vulnerability called the POODLE bug, has been detected and server-side measures have been taken.


Just a few months after the Heartbleed bug shattered the believed-to-be-secure SSL/TLS encryption layer status quo and put data transfers, emails, instant messages, etc. at risk, and now a new SSL vulnerability has been brought to light by Google experts.


According to Google researchers, a weakness in the SSL 3.0 protocol could be used to eavesdrop critical data that is transferred over an encrypted connection between web browsers, apps, etc. and servers.


The ‘new’ bug is called POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption.


The newly discovered POODLE exploit poses a great threat to online security, since it affects an old SSL version, which is still widely used by the majority of servers and clients.


It allows hackers to outsmart a web client by telling it that the server does not support the more secure TLS (Transport Layer Security) protocol, so the client is forced to connect via SSL 3.0.


This downgrade maneuver opens the door of abuse and attackers can freely decrypt secure HTTP data and steal the protected information.


Measures taken against POODLE attacks


With the discovery of POODLE, the security specialists at Google instantly recommended measures for dealing with this encryption issue.

First and foremost, the SSL 3.0 protocol needs to be disabled for both participants in the SSL communication – the server and the client, and they need to default to the more secure TLS. This will stop attackers from forcing the communication to go through the exploited SSL 3.0.


Server-side measures:


In response to the Google team’s recommendation, our web hosting servers no longer support SSL 3.0 and older versions of the protocol. Also, our admins have set the minimum SSL requirement to the provenly secure TLS 1.0.


NOTE: As a result, an Internet Explorer browser whose version is 6.0 or older will not be able to access websites hosted on our servers.


Client-side measures:


As far as web clients are concerned, Google specialists recommend that end users immediately disable SSL 3.0 support in their browsers, if such exists.


The detailed instructions are here: POODLE - Disabling SSLv3 Support in Browsers


There is a SSL version control add-on for Firefox here (no browser restart).


In response to the issue, Google plans to remove SSL 3.0 support completely from all its products in the upcoming months. Currently, they even offer a Chromium patch, which disables the SSL 3.0 fallback (use first link above).


Mozilla has also announced plans to turn off SSL 3.0 in Firefox and it will be disabled by default in Firefox 34, which will be released on November 25. If you don't want to wait until November 25, use the Firefox link above to disable now.


Upcoming actions against POODLE attacks


To further secure our system against future downgrade attacks, our admins are also planning to implement TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) on all our servers shortly. We’ll keep you posted.


More info on POODLE is available here.



Tags: , , , , , ,