dubbed POODLE | Google discovers vulnerability in SSL 3.0 | POODLE

Dubbed POODLE | Google discovers vulnerability in SSL 3.0 | POODLE

When you access high profile sites and services such as your bank, Twitter  or Google  you typically access sites using https:// or a feature called SSL  (secure sockets layer) but a new security defect could break that open. SSL or TLS (Transport Layer Security) provides encryption to protect your information from being intercepted, spied upon or modified by attackers in between you and the service provider. This widely used technology is what prevents someone sat next you in Starbucks from watching your transactions as you access your Internet banking and is also frequently used when accessing your e-mail account to stop your username and password disappearing in to the hands of cyber criminals. Simply put SSL is a core component of security, privacy and trust on the Internet . Great though all that sounds unfortunately many sites still fail to adhere to best practice and many don’t implement these security features at all leaving information open to interception. Even those which do try to do the right thing can have significant setbacks due to implementation failures or security vulnerabilities. That is precisely what has happened with the new, cutely named, but very nasty POODLE vulnerability.

SSL has a number of different versions and which you support is important from a security standpoint. Backwards compatibility with older versions can get you in real trouble and you can see a wonderfully detailed breakout of the features of each version and timelines here. The POODLE vulnerability impacts SSL version 3 and under the right conditions would allow an attacker to gain access to information that would let them take over your account . For example, the flaw may enable an attacker to gain access to session tokens or credentials so they can hijack the identify of another user. The vulnerability, discovered by Google security researchers Thai Duong, Bodo Moller and Krzysztof Kotowiczis is fully outlined in this paper and makes interesting reading. Geeky bit: the attack is essentially an oracle padding attack in CBC (cipher block chaining which uses output of previous blocks as input to the next block processing to prevent duplicate blocks of data producing identical cipher text blocks) mode ciphers in SSLv3.

For the attack to work the attacker must be on the same wireless network (or in the path of your communications) and your client must be running Javascript (such as in a web browser) which makes the attack less all out serious than vulnerabilities like Heartbleed . This attack is effective against clients (as opposed to servers like with Heartbleed or Shellshocked) and so is of the greatest concern to users browsing on wireless hotspots where others may be listening but is sufficiently serious that Twitter has announced they have entirely disabled SSLv3 .