POODLE - Another SSL Vulnerability
Another day, another vulnerability found in a critical piece of Internet infrastructure. This time, Google has found that SSL 3.0 is vulnerable to a man-in-the-middle attack, which means someone could possible snoop on secure communications between the browser and the server. While serious, this vulnerability doesn’t carry the same weight as the heartbleed bug. SSL 3.0 is “an obsolete and insecure protocol” released in 1996, but due to older browsers and server side workarounds the effects of this bug could be widespread.
The recommendation for all servers is to upgrade to TLS, Transport Layer Security, the successor to the older SSL protocol. However, in the interest of user experience, many servers allow an automatic downgrade back to SSL 3.0 for older browsers during negotiations, or the browser requests the older protocol to work around known issues in the implementation. Further complicating the POODLE problem, an attacker could force the negotiationsto revert to 3.0 by causing a failure in the connection. According to Extremetech (who, by the way, also have the best poodle image to accompany the article):
At its core, the problem is that SSL 3.0 relies on the long-since broken RC4 encryption standard. The team demonstrates that it’s relatively simple for an attacker with man-in-the-middle access between client and server to decrypt cookies and access secure information. There’s a full paper on the attack implementation, but the bottom line is simple — it’s impossible to secure SSL 3.0 against the vector, which means killing it off as a widely supported standard is the only viable option.
Mozilla has already announced that it will be disabling SSL 3.0 in Firefox 34, and the larger websites are abandoning support for the ancient protocol now. However, until you are sure that both your browser and the site you are visiting (like, say, your bank?) are secure, this might not be the best time to be shopping online.
Interestingly, the report detailing the POODLE vulnerability was published by Google last month, and according to the New York Times, was “leaked” on Tuesday:
Three researchers at Google, Bodo Möller, Thai Duong, Krzysztof Kotowicz, disclosed details of a Poodle attack in a report last month.
Rumors of the bug have leaked over the last few days, prompting the OpenSSL Project, which develops the most widely used type of SSL encryption software, to publish the report on Tuesday. The advisory prompted makers of web browsers, and server software, as well as some technology companies, to disable support for SSL 3.0.
I’m not sure why news of the bug had to leak. Now that the bug is well known the entire industry is moving to stop it. Something I think that could have happened when the paper was published.