Last Tuesday (October 14, 2014), the Security Team at Google announced that a new SSL vulnerability has been discovered. Dubbed POODLE (Padding Oracle On Downloaded Legacy Encryption), the vulnerability allows hackers to gain access to encrypted data, including email, banking and social media accounts. Attacks are dependent on the fact that most web servers and browsers continue to use the 15 year old SSL 3.0 to secure their communications. Although SSL has been succeeded by Transport Layer Security (TSL) encryption, SSL 3.0 is still widely used by to support compatibility with Internet Explorer 6.
What is the POODLE Vulnerability?
POODLE takes advantage of two vulnerabilities found in the protocols in SSL 3.0.
The first vulnerability allows hackers to exploit a weakness in the SSL 3.0 protocol to collect small amounts of plaintext code from an encrypted connection. Through multiple HTTPS requests, the vulnerability allows hackers to determine if a particular byte in the exchange is correct and allows the hacker to observe network traffic between a client and a server.
The second vulnerability involves how protocol negotiations work. Under normal circumstances, a client and a server will automatically communicate via the most recent supported protocol of SSL/TLS. However, when newer version of TLS were deployed, it was discovered that there were behavioural violations of the TLS protocols. Essentially, when browsers fail to authenticate via recent TLS protocols, they attempt to communicate with servers using older protocol versions; in some cases, this can go as far back as SSL 3.0.
Fortunately, security experts say that POODLE is not as serious as the Heartbleed or the Shellshock bug. Both vulnerabilities of POODLE require a man-in-the-middle (MITM) attack to exploit the weaknesses, and will require hackers to manipulate network traffic while it is in transit. Nevertheless, Internet users should take appropriate precautions.
What precautions do you need to take?
As of now, Google Chrome and Mozilla Firefox will begin releasing updates to automatically disable or drop from SSL 3.0 support. For those that would like to immediately halt SSL 3.0 usage, below are some ways to disable it:
For Internet Explorer users:
1. Open the “Tools” menu and select “Internet Options”
2. Click the “Advanced” tab
3. Scroll down to the “Security” category – Uncheck “Use SSL 3.0” and check “Use TLS 1.0”; if available, check “Use TLS 1.1” and “Use TLS 1.2”
For Firefox Users
Mozilla has announced that it will release Firefox 34 which will have SSL 3.0 automatically disabled, on November 25. However, if you would like to disable SSL 3.0 right now, two options are available for you:
The first is to download the SSL Version Control addon for Firefox (the link has been removed by the plugin’s author). The second is to browse to a special URL – “about:config” – and edit the setting for “security.tld.version.min” to “1”. After making the edit, remember to clear your cookies and restart your browser.
For Google Chrome Users
Similar to Firefox, Google Chrome users will receive an update soon that automatically disables SSL 3.0. If you would like to disable SSL immediately, you can update your Chrome shortcut to add the following command-line option: –ssl-version-min=tls1. For example, in most versions of Windows:
- Right-click on the Chrome shortcut on your desktop or Start Menu, and click
- In the Target field, add “ –ssl-version-min=tls1” (no quotes, leading space) to the end of the line, after \chrome.exe”.
- Click OK.
More information about the Poodle vulnerability is available at: https://www.openssl.org/~bodo/ssl-poodle.pdf and googleonlinesecurity.blogspot.ca