A bug discovered by Google could prove to be a boon for hackers worldwide, and a disaster for web security. The vulnerability, which lies within SSL 3.0, an older Web security protocol still used on some systems, could allow an attacker with network access to uncover encrypted data. The flaw could give hackers access to a user's bank account, e-mail, and other services.
Google released details of the exploit, dubbed POODLE (Padding Oracle On Downloaded Legacy Encryption), earlier Wednesday based on research conducted by three engineers. The attack is similar to the BEAST attack discovered in 2011 that used a Java applet to break SSL and TLS security.
“Obsolete and Insecure”
The bug was discovered by a trio of Google engineers: Bodo Möller, Thai Duong, and Krzysztof Kotowicz, who published a paper describing the flaw with SSL (Secure Socket Layer) 3.0. At first glance, a vulnerablity with the SSL protocol might not seem like much of a problem. Less than one percent of the top million domains on Alexa, which ranks Web sites based on the estimated traffic each site receives, still use it.
The researchers said the 15-year-old SSL, which is “an obsolete and insecure protocol,” has mostly been replaced by its successor Transport Layer Security (TLS). However, many systems that have implemented TLS are still vulnerable, since they remain compatible with SSL in order to work around server-side interoperability bugs with legacy systems. Hackers using a man-in-the-middle attack can force a connection error to manipulate systems into downgrading to SSL.
The POODLE attack works by exploiting the tendency for systems to downgrade to SSL security and then stealing secure HTTP cookies. According to the researchers, there is no reasonable workaround to counter the bug. “To achieve secure encryption, SSL 3.0 must be avoided entirely,” according to the paper.
To do that, both Internet browsers and Web sites must be reconfigured to avoid using SSL. Google has done this already for its own servers and for the Google Chrome browser by adding support for a TLS protocol, preventing network connection problems from causing systems to downgrade to less secure protocols, including earlier versions of TLS. Twitter has said it has disabled SSL compatibility. Microsoft, meanwhile, has said it does not consider the vulnerability “to be a high risk to customers,” but may choose to issue a secure update for it.
Starbucks Hotspots Vulnerable
So far, there have been no reports of attacks featuring the POODLE exploit, but security experts say that it is only a matter of time. Unlike other security vulnerabilities. POODLE cannot be defeated by encrypting data, since it is the encryption protocol itself that is vulnerable. Legacy browsers such as Internet Explorer 6, which supports only SSL instead of the later protocols, are particularly at risk.
Because POODLE attacks require a hacker to intercept network traffic, it is more likely to be used by groups such as Russian and Chinese intelligence agencies, the National Security Agency and Britian's spy agency, GCHQ, which have the wherewithal to run man-in-the-middle attacks.
Public Wi-Fi hotspots, such as the network at a local coffee shop, are especially vulnerable to the POODLE exploit. Security experts warn users to avoid logging on to public Internet locales to protect against the attack. Although a POODLE attack would not give a hacker your password, it would allow him to log in to your account by stealing your session cookies.
Image credit: iStock/Artist's concept.
Posted: 2014-10-30 @ 10:51am PT
IE6 does allow you to turn off SSL and use TLS only. Perhaps you had an old, pre-2004 unpatched version.
Posted: 2014-10-15 @ 1:50pm PT
"[S]till used on some systems?" As of yesterday, more than 80% of the servers out there accepted SSL3, which is irresponsible.
SSL3 dates back to Internet Exploder 6 and Windows XP. It is time to leave these obsolete remnants of evolution behind us.
POODLE would not be so serious if corporations update their sites to use TLS (which is a more than 10-year-old standard) and consumers stop using outdated Microsoft products.
All one can say is that in this case the victims are responsible for their own predicaments.