Last Tuesday, a trio of Google researchers published news regarding the existence of an Internet-wide security vulnerability that has a cute name but unfortunately also potentially disastrous effects. POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, is a new security hole that targets Secure Socket Layer (SSL) 3.0. Since SSL protects data that are in transit between a website and the users, POODLE potentially allows hackers to decrypt the HTTP cookies, which can be used to store personal information, website preferences or even passwords, depending on the situation. For example, POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.
Since SSL 3.0 has largely been replaced by TLC (Transport Layer Security) and other successors, the easiest way to solve the problem should be simply to stop supporting SSL 3.0. Unfortunately, even though SSL is a pretty old (15 years) protocol, it is still used in most web browsers as a fallback for countless servers in case modern protocols fail to connect. In addition, there are some products and browsers, like Internet Explorer 6 for Windows XP, that only use SSLv3. As a consequence, Google says that stopping the support of SSL might lead to side effects, such as significant compatibility and connectivity issues.
"There is no reasonable workaround," Google wrote in its security advisory. SSL cannot be fixed and needs to be avoided entirely. Consequently, the problem is likely to remain as long as SSL 3.0 is supported. As a positive note, Google seems to have discovered the vulnerability on its own, and it is not clear how wide-spread it is. For now, Google says that the best solution is for browsers and severs to support TLS_FALLBACK-SCSV, a mechanism designed to stop attackers from forcing security handshakes to default to older standards. Google Chrome and the company's own servers have been using it without compatibility problems since February; the company is also testing further Chrome changes that disable falling back to 3.0 altogether. In the meantime, companies worldwide will be scrambling to issue patches to their servers and embedded devices disallowing use of SSL 3.0.
I could not have written this article without the help of the following sources:
- http://www.cnet.com/news/google-exposes-poodle-flaw-in-web-encryption/
- http://www.nbcnews.com/tech/security/new-poodle-bug-takes-bite-out-ssl-3-0-web-n225911
- http://www.androidauthority.com/google-researchers-poodle-538076/
- http://www.engadget.com/2014/10/14/google-discovers-another-web-security-flaw-that-leaves-your-brow/
- http://www.wired.com/2014/10/poodle-explained/?mbid=social_fb