Google researchers Bodo Möller, Thai Duong & Krzysztof Kotowicz announced yesterday that they have recently discovered Padding Oracle On Downgraded Legacy Encryption, known as POODLE, to be attacking the SSL 3.0 version of the public-encryption key introduced by Microsoft back in 1996. In 1999 the key was replaced by a newer version, known by the name of TLS 1.0, two more coming after that (TLS 1.1 & TLS 1.2) but a vast majority of websites and browsers are still using the older, less secure version of the certificate. What POODLE does is taking advantage when someone downgrades to the older version if unable to establish a secure connection. The downgrade can be triggered by network glitches or live hacker attacks as well.
Why Is Everybody Still Using SSL 3.0 When It’s Almost 20 Years Old?
‘The problem is that the internet has a whole heap of moving parts which evolve independently of each other.’, security researcher Troy Hunt says. …. ‘And so it is with SSL; when two parties (say a browser and a server) are at different stages of evolution and offer support for different versions, they could either throw their hands up and say ‘We just can’t get along’ or they can compromise and fall back to a common version they can both support. The latter is the more usable so that’s what often happens. (Incidentally, this happens implicitly and without user interaction. It’s a ‘feature.)’
POODLE’s bug Way of Acting
It usually appears when someone is using a non-secured public Wi-Fi connection and not very likely to happen if you’re at home, using Wi-Fi protected connection. It uses the so-called Man-in-the-Middle technique. If you’re sitting in a cyber café or another place with unsecured Wi-Fi, for example, a hacker sitting next to you, using the same unsecured connection, may force the network to downgrade to SSL 3.0, thus being able to browse around the same places you are visiting over the Internet at the moment. The technology is not able to steal passwords or other user-verification data but if someone sitting next to you can see what you see at the moment they can browse around your e-mails, Facebook, or Twitter messages with no problem.
Protection from POODLE Attacks
There are a few things you can do to protect yourself and your data from such attacks.
- First of all, do not enter sites containing personal information on places with free Wi-Fi if possible. If you really must do so, use VPN protection if possible, they are no longer used only for work anymore and with a little guidance anyone can establish such connection.
- Second, be careful what sites you’re visiting when using unsecured connections. Attackers need a specially designed Java-script code to downgrade to SSL 3.0 and access your information and can trick you into visiting such sites if possible.
- The third and utmost solution for you is to disable the SSL 3.0 certificate from the browsers you are using. In their next release on 25 November this year Mozilla is going to remove it by default.
Google is scraping it from Chrome’s code at the moment. Using versions later than Microsoft’s IE6 might also solve the issue, Microsoft has also posted an official guide how to remove it from the browser yourself. Apple’s Safari is rumored to remove it in its next release but unfortunately, no official information was found.
There are two pages testing whether you are vulnerable to POODLE or not – poodletest.com and poodle.io. They are quite amusing actually and containing guides on how to proceed if you’re vulnerable as well. Try checking them out and fixing your browsers – it is worthwhile!
