SSL 3.0 POODLE

SSL POODLE

Google security researchers have disclosed a vulnerability in SSL 3.0 that allows attackers to determine the plaintext of secure connections. Attackers can use the flaw to trigger network faults to push browsers back to the 15 year-old platform.

POODLE is short for Padding Oracle On Downgraded Legacy Encryption.

Google’s response to the flaw is a plan to scrub SSL 3.0 support from the Chrome browser. The company recommended users switch to tools that instead use TLS_FALLBACK_SCSV, the Transport Layer Security Signalling Cipher Suite Value. Doing so will be more effective than simply disabling SSL 3.0, which will create compatibility issues.

If either side supports only SSL 3.0, then too bad, so sad, and a serious update required to avoid insecure encryption, If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability. The flaw allows attackers to steal ‘secure‘ HTTP cookies and HTTP Authorization header contents, among other bearer tokens.

Read more about POODLE here: https://www.openssl.org/~bodo/ssl-poodle.pdf and here: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

FYI, this attack is widely applicable!!!

This entry was posted in Security Blog and tagged , , , , , , , , , , , . Bookmark the permalink.