As we wrote earlier this month Google discovered a flow in the SSL 3.0 certificate of web-sites and servers allowing attackers to steal information from users. The flaw found is officially called Padding Oracle On Downgraded Legacy Encryption (POODLE). What it does is allowing hackers to steal users’ information and cookies by the so-called Man-in-the-Middle (MITM) technique, relying on unsecure connections where they lead users to fall back into earlier versions like the above-mentioned certificate.
Google announced that they will be releasing a new version of their Chrome browser in six weeks’ time to remove that flaw. The ability of the new browser’s version to fall back on wrong or buggy servers will be disabled by default.
‘SSLv3-fallback is only needed to support buggy HTTPS servers. Servers that correctly support only SSLv3 will continue to work (for now) but some buggy servers may stop working. The answer in these cases is to fix the server — TLS 1.0 is nearly 15 years old at this point’, Adam Langley, a Google security engineer, said in a post announcing the release.
Lacking the time to translate the error for users falling back to buggy servers, Chrome’s version 39 will only show an error message stating ‘ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION’ to identify the issue. A yellow badge in the address bar of the browser will alert users when they enter sites working with SSL 3.0 and these will have to be upgraded to at least TLS 1.0 before Chrome 40 is released.
→’However, a lack of a yellow badge doesn’t mean that everything will be fine as there could still be subresources of the page that are served over SSLv3 connections. Developers can run Chrome with –ssl-version-min=tls1 in order to test their sites.’, Langley’s post continues.
Google Chrome 40 is due to be released in twelve weeks time, i.e. 6 weeks after Chrome 39’s release and SSL 3.0 support will be completely removed in its code. This is under the condition that all servers are upgraded to TLS 1.0 version at least by then though.
‘In time, SSLv3 client support will be removed from the code, so anyone re-enabling SSLv3 and/or fallback to it via policy, command line options or about:flags should not treat that as a long-term solution.”, warns the post.
Earlier this month in order to prevent POODSLE attacks Mozilla also announced that they will be releasing a new version of the browser – Mozilla 34. It is due on November 25.
Users working with Microsoft’s Internet Explorer can apply a fix to prevent the issue, following Microsofts guide here.
However, using secure VPN connections, especially in public places, remains the best protection against these attacks.