Another Heartbleed-like vulnerability has been discovered in the decade old but still widely used Secure Sockets Layer (SSL) 3.0 cryptographic protocol that could allow an attacker to decrypt contents of encrypted connections to websites.
Google's Security Team revealed on Tuesday that the most widely used web encryption standard SSL 3.0 has a major security vulnerability that could be exploited to steal sensitive data. The flaw affects any product that follows the Secure layer version 3, including Chrome, Firefox, and Internet Explorer.
Researchers dubbed the attack as "POODLE," stands for Padding Oracle On Downgraded Legacy Encryption, which allows an attacker to perform a man-in-the-middle attack in order to decrypt HTTP cookies. The POODLE attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are meant to store personal data, website preferences or even passwords.
Three Google security engineers - Bodo Möller, along with fellow researchers Thai Duong and Krzysztof Kotowicz - have uncovered this new security hole in widely used SSL 3.0 that makes the 15-year-old protocol nearly impossible to use safely.
"This vulnerability allows the plaintext of secure connections to be calculated by a network attacker," Bodo Möller, of the Google Security Team, wrote in a blog post today. "I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers)."
POODLE (PDF) is really a critical threat because it is used by both websites and Web browsers and will remain critical as long as SSL 3.0 is supported. Therefore, both websites and Web browsers must be reconfigured to prevent using SSL 3.0.
While SSL 3.0 is not anymore the most advanced form of Web encryption standard in use, Möller explained Web browsers and secure HTTP servers still need it in case they encounter errors in Transport Layer Security (TLS), SSL's more modern, less vulnerable layer of security.
"If a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serve side interoperability bugs."
To protect against the POODLE attack, there is nothing an end user can do, same like with the case of Heartbleed and Shellshock. But, companies across the world will be releasing patches to their servers and embedded devices disallowing use of SSl 3.0.
Google discovered the vulnerability a month ago in September, just a few months after the Heartbleed incident brought SSL into the spotlight, and before publicly disclosing the details on the new issue today, the search engine giant alerted software and hardware vendors.
Until the issue is fixed, the trio recommended disabling SSL 3.0 on servers and in clients. For end users, if your browser supports SSL 3.0, you are advised to disable its support or better use tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value), it prevents downgrade attacks.
POODLE is a vulnerability lying within the codes of SSL, which is why it affects the widely used browsers. In response to the issue, Google has announced that it is scrubbing SSL 3.0 support from Chrome browser and will soon remove SSL 3.0 support completely from all its products in the coming months.
Mozilla on its part has also announced that it plans to turn off SSL 3.0 in Firefox. "SSLv3 will be disabled by default in Firefox 34," which the company will release next month. The code to disable the protocol will be available tonight via Nightly.
Mozilla on its part has also announced that it plans to turn off SSL 3.0 in Firefox. "SSLv3 will be disabled by default in Firefox 34," which the company will release next month. The code to disable the protocol will be available tonight via Nightly.