On Tuesday, Google researchers, Bodo Möller, along with fellow researchers Thai Duong and Krzysztof Kotowicz found a "vulnerability in the design of SSL version 3.0" that could let assailants to steal email, banking and social networking data, in what they have classified a "Poodle" attack. ("Poodle" stands for Padding Oracle On Downloaded Legacy Encryption.)
The recent discovery of Poodle has provoked Google to warn users to disable use of the source of the bug: an 18-year old encryption protocol known as SSL 3.0, which is still widely used in web browsers and websites. The risk was revealed in a research paper published last month on the site of the OpenSSL Project, which creates the most broadly utilized software for SSL encryption.
"SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue," wrote Möller.
Details of a bug found in SSL software speculated quite recently, persuading some security experts to plan for a significant hazard this week.
"Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue," Google said in the statement. The immediate fix to the problem will "break some sites and those sites will need to be updated quickly."
"In the coming months, we hope to remove support for SSL 3.0 completely from our client products," Google said.
So far this year, similar vulnerabilities were found twice by researchers, which includes April’s ‘Heartbleed’ bug in OpenSSL and September’s ‘Shellshock’ bug found in a Unix software known as Bash.
Experts alleged that assailants could steal session cookies in a so-called Poodle attack, and possibly steal email, banking and social networking data. Most security experts deem the threat as not so high-risk in comparison to the two bugs that were discovered previously.
Tal Klein, vice president of cloud security firm Adallom said, "If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6."
Ivan Ristic, director of application security research at Qualys, said "Poodle" was not as dangerous as the past threats on the grounds that the attack seemed to be ‘quite complicated,' which would require hackers to have privileged access to vulnerable networks.
Jeff Moss, founder of the Def Con hacking conference and an advisor to the U.S. Department of Homeland Security, said assailants would need to initiate a 'man-in-the-middle' attack, putting themselves in the middle of exploited users and sites utilizing techniques, for example, making independent Wi-Fi "hotspots" in internet cafes.
Google recommended a specialized bypass to secure web servers, yet included its blog that it wants to inevitably axe support for SSL 3.0 from all client programming.
Mozilla arranged to disable SSL 3.0 by default in the succeeding version of Firefox browser that is scheduled for released on November 25.
"SSL version 3.0 is no longer secure," Mozilla advisory explains. "Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible."
Microsoft issued a ccounselling proposing that users disable SSL 3.0 on Windows for servers and PCs.