Three Google security engineers said that the Web encryption standard Secure Socket Layer (SSL) can be exploited due to a new vulnerability named “POODLE.”
According to experts, POODLE is a new security hole in a very old Secure Socket Layer (SSL) 3.0 that could allow encrypted, ostensibly-secret information to be exposed by an attacker with network access. Both websites and Web browsers must be reconfigured to prevent using SSL 3.0, as POODLE will remain a problem as long as SSL 3.0 is supported, says expert.
However, SSL 3.0 is not mostly used for Web encryption, in case either browser or server runs into problems connecting with the latest encryption Transport Layer Security (TLS), then these sites or browsers will often fall back to SSL. The problem is that attackers can force a connection failure which would force a site to use SSL 3.0, says Google security engineers. The reason that POODLE can be a major security issue is that attackers can force your browser to downgrade to SSL 3.0.
In such case, experts recommended that administrators should add support for TLS_FALLBACK_SCSV, a TLS protocol that prevents connection failure. It not only stops browsers from using SSL 3.0, but TLS 1.0 and 1.1 as well. Moreover, experts add that legacy browsers are especially at risk, most notably Internet Explorer 6, which only supports SSL 3.0.
Also, users can be at risk if they are using public Wi-Fi and other unencrypted Wi-Fi networks, as not only the actual password can be hacked, but it would give hackers the session cookies of the user, which could be used to log in to users’ accounts easily.
It should also be noted that in comparison with HeartBleed or ShellShock, the severity of this threat is quite low. One can assume that, on a scale of 0-10 depicting the scale of severity, HeartBleed and ShellShock take the position 10 then Poodle is somewhere near 6.
This is what you should do:
- If you are worried about having your Internet traffic spied through SSL 3.0, expert recommend that you avoid using any public Wi-Fi connection.
- If you are a Chrome user and want to disable SSL 3.0, then Google advises that you add this command line flag to the browser – ssl-version-min=tls1.
- If you are a Mozilla Firefox user, you can install a Mozilla security add-on that disables SSL 3.0.
- If you are using Internet Explorer 7 and newer, then you can got to Internet Options, click the Advanced tab, uncheck SSLv3, and click the OK button.
Stay Aware, Stay Protected