Google researchers have discovered a serious vulnerability in SSL 3.0- a widely used web encryption technology- that could be exploited by cyber attackers to launch “Poodle” attacks over the internet. According to Google’s security expert Bodo Möller the “vulnerability allows the plaintext of secure connections to be calculated by a network attacker.”
Technically, a Security Socket Layer (SSL), facilitates safe connection between your browser and other secure websites such as banks, email accounts and other social site. It a basic internet protocol that has been around for the last 18years.
Ideally, modern web browser use new versions of SSL or TSL (Transport Socket Layer), but support SSL 3.0 as a fallback incase the browser fails to establish a connection with the server. Initially server and clients attempts to establish a connection using the most secure internet protocol available to both of them, if one fails then the next most secure protocol is used.
This “protocol downgrade dance” between the server and the client as they try to establish a connection is a vulnerability than be exploited by attackers using the Poodle (Padding Oracle On Downgraded Legacy Encryption) attack. That means the attacker will repeatedly interrupt the connection forcing a protocol downgrade until the less secure SSL 3.0 protocol is used. “A network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,” said Möller.
Google explains that the SSL 3.0 is less secure and the “encryption used in SSL 3.0 is fairly easily cracked and a relatively simple main-in-the-middle attack can then be used to intercept and decrypt secure cookies.”
Cookies are used by the browser to persistently login in into a site without necessarily requiring repeat passwords. That implies that an attacker with access to your session cookie can easily masquerade as you, and login to your secure sites even without a password.
Like Errata Security‘s Robert Graham puts it, “some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages. These are two examples—they really have near complete control over your accounts. They won’t be able to steal your password, however.” Using a public network increases the chance of an attack says Graham.
The POODLE vulnerability dubbed “PoodleBleed” comes in the wake of Heartbleed and Shellshock. Both bugs have caused jitters in the tech world recently. Heartbleed, discovered in April is a vulnerability in a different version of SSL, Shellshock is a software vulnerability in Unix based operation systems.
PoodleBleed is not as serious as Heartbleed or Shellshock, but it presents a potential security threat to internet users. “If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6,” said Tal Klein, vice president with cloud security firm Adallom.
There is no clear way of taming the PoodleBleed. In response to the discovered bug, Google advised its customers to support TLS_FALLBACK_SCSV patch. “A mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”
However, security experts think the TLS_FALLBACK_SCSV patch is not as effective as advertised by google. “Unfortunately, the TLS_FALLBACK_SCSV workaround is only effective when both browsers and servers have been patched. As we’ve seen in previous vulnerabilities, that can take a long time across the big, wide Internet, “says David Hamilton.
In addition to the patch, Google will disable SSL3 support in all its clients’ products. Likewise Mozilla acknowledged the problem with SSL 3.0 and called on its clients to disable the protocol. “SSL version 3.0 is no longer secure,” Mozilla said on its blog. “Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible.”
Note everyone will be willing to disable SSL 3.0 that easily. Disabling SSL 3.0 means that websites that support SSL 3.0 will become incompatible with older browsers such Internet Explorer 6 and operating systems such as Windows XP. That implies an internet black out for machines running on Internet Explorer 6 and windows XP.
According to CloudFlare CEO, Mathew Price, killing SSL 3.0 will “impact on some older browsers, resulting in an SSL connection error,” Prince wrote. “The biggest impact is Internet Explorer 6 running on Windows XP or older.”
Matthew Green, an assistant research professor of computer science at Johns Hopkins University also acknowledged the challenges of disabling SSL. “It’s not going to take out the infrastructure of the Internet. But it’s going to be a hassle to fix,” Green said
Apparently, the increasing number of vulnerabilities makes it more difficult to secure the cyberspace. For starters, it is advisable to keep off public networks at all cost. However “If you’re online on a public Wi-Fi network, use a VPN to encrypt your connection. That should frustrate most would-be hackers unless you’ve landed on an NSA watch list,” concludes David Hamilton. One can set up a home VPN networks accessible from anywhere.