POODLE Internet Security Bug Exposed

A bug discovered by Google could prove to be a boon for hackers worldwide, and a disaster for web security. The vulnerability, which lies within SSL 3.0, an older Web security protocol still used on some systems, could allow an attacker with network access to uncover encrypted data. The flaw could give hackers access to a user's bank account, e-mail, and other services.

Google released details of the exploit, dubbed POODLE (Padding Oracle On Downloaded Legacy Encryption), earlier Wednesday based on research conducted by three engineers. The attack is similar to the BEAST attack discovered in 2011 that used a Java applet to break SSL and TLS security.

EUObsolete and InsecureEU

The bug was discovered by a trio of Google engineers: Bodo Möller, Thai Duong, and Krzysztof Kotowicz, who published a paper describing the flaw with SSL (Secure Socket Layer) 3.0. At first glance, a vulnerablity with the SSL protocol might not seem like much of a problem. Less than one percent of the top million domains on Alexa, which ranks Web sites based on the estimated traffic each site receives, still use it.

The researchers said the 15-year-old SSL, which is EUan obsolete and insecure protocol,EU has mostly been replaced by its successor Transport Layer Security (TLS). However, many systems that have implemented TLS are still vulnerable, since they remain compatible with SSL in order to work around server-side interoperability bugs with legacy systems. Hackers using a man-in-the-middle attack can force a connection error to manipulate systems into downgrading to SSL.

The POODLE attack works by exploiting the tendency for systems to downgrade to SSL security and then stealing secure HTTP cookies. According to the researchers, there is no reasonable workaround to counter the bug. EUTo achieve secure encryption, SSL 3.0 must be avoided entirely,EU according to the paper....

Comments are closed.

POODLE Internet Security Bug Exposed

A bug discovered by Google could prove to be a boon for hackers worldwide, and a disaster for web security. The vulnerability, which lies within SSL 3.0, an older Web security protocol still used on some systems, could allow an attacker with network access to uncover encrypted data. The flaw could give hackers access to a user's bank account, e-mail, and other services.

Google released details of the exploit, dubbed POODLE (Padding Oracle On Downloaded Legacy Encryption), earlier Wednesday based on research conducted by three engineers. The attack is similar to the BEAST attack discovered in 2011 that used a Java applet to break SSL and TLS security.

EUObsolete and InsecureEU

The bug was discovered by a trio of Google engineers: Bodo Möller, Thai Duong, and Krzysztof Kotowicz, who published a paper describing the flaw with SSL (Secure Socket Layer) 3.0. At first glance, a vulnerablity with the SSL protocol might not seem like much of a problem. Less than one percent of the top million domains on Alexa, which ranks Web sites based on the estimated traffic each site receives, still use it.

The researchers said the 15-year-old SSL, which is EUan obsolete and insecure protocol,EU has mostly been replaced by its successor Transport Layer Security (TLS). However, many systems that have implemented TLS are still vulnerable, since they remain compatible with SSL in order to work around server-side interoperability bugs with legacy systems. Hackers using a man-in-the-middle attack can force a connection error to manipulate systems into downgrading to SSL.

The POODLE attack works by exploiting the tendency for systems to downgrade to SSL security and then stealing secure HTTP cookies. According to the researchers, there is no reasonable workaround to counter the bug. EUTo achieve secure encryption, SSL 3.0 must be avoided entirely,EU according to the paper....

Comments are closed.