Google Discovers SSL 3.0 Encryption Bug, Warns of Vicious ‘Poodle’ Attacks

Google warns of Poodle Attack

The risk was revealed in a research paper published last month on the site of the OpenSSL Project

On Tuesday, Google researchers, Bodo Möller, along with fellow researchers Thai Duong and Krzysztof Kotowicz found a “vulnerability in the design of SSL version 3.0” that could let assailants to steal email, banking and social networking data, in what they have classified a “Poodle” attack. (“Poodle” stands for Padding Oracle On Downloaded Legacy Encryption.)

The recent discovery of Poodle has provoked Google to warn users to disable use of the source of the bug: an 18-year old encryption protocol known as SSL 3.0, which is still widely used in web browsers and websites. The risk was revealed in a research paper published last month on the site of the OpenSSL Project, which creates the most broadly utilized software for SSL encryption.

“SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,” wrote Möller.

Details of a bug found in SSL software speculated quite recently, persuading some security experts to plan for a significant hazard this week.

“Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,” Google said in the statement. The immediate fix to the problem will “break some sites and those sites will need to be updated quickly.”

“In the coming months, we hope to remove support for SSL 3.0 completely from our client products,” Google said.

So far this year, similar vulnerabilities were found twice by researchers, which includes April’s ‘Heartbleed’ bug in OpenSSL and September’s ‘Shellshock’ bug found in a Unix software known as Bash.

Experts alleged that assailants could steal session cookies in a so-called Poodle attack, and possibly steal email, banking and social networking data. Most security experts deem the threat as not so high-risk in comparison to the two bugs that were discovered previously.

Tal Klein, vice president of cloud security firm Adallom said, “If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6.”

Ivan Ristic, director of application security research at Qualys, said “Poodle” was not as dangerous as the past threats on the grounds that the attack seemed to be ‘quite complicated,’ which would require hackers to have privileged access to vulnerable networks.

Jeff Moss, founder of the Def Con hacking conference and an advisor to the U.S. Department of Homeland Security, said assailants would need to initiate a ‘man-in-the-middle’ attack, putting themselves in the middle of exploited users and sites utilizing techniques, for example, making independent Wi-Fi “hotspots” in internet cafes.

Google recommended a specialized bypass to secure web servers, yet included its blog that it wants to inevitably axe support for SSL 3.0 from all client programming.

Mozilla arranged to disable SSL 3.0 by default in the succeeding version of Firefox browser that is scheduled for released on November 25.

“SSL version 3.0 is no longer secure,” Mozilla advisory explains. “Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible.”
Microsoft issued a ccounselling proposing that users disable SSL 3.0 on Windows for servers and PCs.

Carrie Ann
Carrie Ann is Editor-in-Chief at Industry Leaders Magazine, based in Las Vegas. Carrie covers technology, trends, marketing, brands, productivity, and leadership. When she isn’t writing she prefers reading. She loves reading books and articles on business, economics, corporate law, luxury products, artificial intelligence, and latest technology. She’s keen on political discussions and shares an undying passion for gadgets. Follow Carrie Ann on Twitter, Facebook

Recent Posts

Amazon to hire a crypto lead, may soon accept payments in cryptocurrency

Amazon to hire a crypto lead, may soon accept payments in cryptocurrency

The product lead will develop the full marketing strategy from customer experience to technical development to launching it.
6 hours ago
Billionaire CEO Elon Musk Shares the Brutal Truth about Life as an Entrepreneur

Billionaire CEO Elon Musk Shares the Brutal Truth about Life as an Entrepreneur

“I would say I’ve had some pretty tough life experiences and Tesla’s probably responsible for two-thirds of all personal and professional pain combined, to give you a sense o
2 days ago
AT&T, Airbnb & UPS among firms to face Akamai’s global outage

AT&T, Airbnb & UPS among firms to face Akamai’s global outage

Global outage causes Akamai Technologies to re-think cyber securities.
3 days ago
GameStop undergoing complete makeover under new chief

GameStop undergoing complete makeover under new chief

GameStop is undergoing a complete revival under new CEO.
4 days ago
Hotel Industry in Japan Grappling with a Wave of Room Cancellations amidst ‘No-Fun’ Olympics

Hotel Industry in Japan Grappling with a Wave of Room Cancellations amidst ‘No-Fun’ Olympics

Hotel room cancellations face a one million challenge after Olympics face troubles in deciding 2020 sessions.
4 days ago
Tokyo Games organizing Committee head says cancellation of Olympics 2020 quite possible

Tokyo Games organizing Committee head says cancellation of Olympics 2020 quite possible

Tokyo Olympic Games 2021 face cancellation threat due to the rising number of Covid-19 cases, says organizing committee head.
5 days ago