Google Engineers Discover a 'Poodle' flaw in Web Encryption Standard: Don't Use Public Wi-Fi
Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz published a report about the exploit they found in the 18-year old SSL 3.0 encryption protocol for browsers and websites. The exploit lets attackers calculate the plain text of secure connections, and is dubbed POODLE for Padding Oracle On Downgraded Legacy Encryption.
When a browser's connection gets reset, it will use SSL 3.0 to retry, and that's where the exploit can take place. Despite the standard being 18-year old, it is still supported by all browsers and websites, and Google researchers said disabling SSL 3.0 support is enough to mitigate the exploit. However, the transition can cause serious compatibility issues for websites.
Google recommends websites use TLS_FALLBACK_SCSV, which solves the problem of retrying failed connections, and Google has evidence it does not cause compatibility issues. Google also is testing Chrome with disabled SSL 3.0 support, which may break some sites, and if it happens, these sites will ne to be updated.
How Likely Are You to Become A Target of POODLE Exploit?
CNET cites a browser specialist from White Hat Security firm, Robert Hansen, "[POODLE] is pretty bad, but you have to keep in mind that it only affects a Man-In-The-Middle situation," an attack where the hacker surreptitiously intercepts network traffic.
There are still no publicly confirmed cases of POODLE attacks, but Hansen says it is only a matter of time before there will be a tool helping hackers exploit it. Another research analyst from CloudMark, Andrew Conway, said POODLE is an exploit difficult to implement for a regular hacker, but 'potentially attractive' to 'national security services like NSA, GHCQ and Russian and Chinese intelligence.' He added Tor exit nodes and public Wi-Fi are potential spots where POODLE can be exploited.
Tech Companies Take Action, or So They Say
PayPal and Apple are among the tech companies that have taken quick actions to mitigate the threat. PayPal has announced that it is updating its security protocols, and some merchants may experience compatibility problems. In a blog post, PayPal CTO James Barrese wrote:
“So far, we’ve determined that we must disable SSL 3.0 support as soon as we reasonably can. Unfortunately, this necessary step may cause compatibility problems for a few of our customers resulting in the inability to pay with PayPal on some merchant sites or other processing issues that we are still identifying.”
Apple is moving from SSL 3.0 to TSL encryption for its push notifications starting October 29, while Twitter, Mozilla and CloudFlare have all quickly announced they would be discontinuing SSL 3.0 support. Apple issued a POODLE fix for OS X last week, following Mozilla's announcement that Firefox's next version 34 will come without support for SSL 3.0.
How To Protect Yourself
In the meantime, here are some things you can do to protect yourself from POODLE:
- Don't use public Wi-Fi, or any connection you do not trust, especially unencrypted
- Chrome users, can disable SSL 3.0 right now by adding a command line flag to the browser:
- Mozilla Firefox users can install this add-on SSL Version Control. Or, you can go to about:config in your browser, and set security.tls.version.min to 1.
Microsoft has not commented on the issue, but my guess its OneDrive performance issues might be related to some of the patches they are introducing, or at least that's what I'd like to think they are doing.