Google Discovers SSL 3.0 Encryption Bug, Warns of Vicious ‘Poodle’ Attacks

Google warns of Poodle Attack

The risk was revealed in a research paper published last month on the site of the OpenSSL Project

On Tuesday, Google researchers, Bodo Möller, along with fellow researchers Thai Duong and Krzysztof Kotowicz found a “vulnerability in the design of SSL version 3.0” that could let assailants to steal email, banking and social networking data, in what they have classified a “Poodle” attack. (“Poodle” stands for Padding Oracle On Downloaded Legacy Encryption.)

The recent discovery of Poodle has provoked Google to warn users to disable use of the source of the bug: an 18-year old encryption protocol known as SSL 3.0, which is still widely used in web browsers and websites. The risk was revealed in a research paper published last month on the site of the OpenSSL Project, which creates the most broadly utilized software for SSL encryption.

“SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,” wrote Möller.

Details of a bug found in SSL software speculated quite recently, persuading some security experts to plan for a significant hazard this week.

“Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,” Google said in the statement. The immediate fix to the problem will “break some sites and those sites will need to be updated quickly.”

“In the coming months, we hope to remove support for SSL 3.0 completely from our client products,” Google said.

So far this year, similar vulnerabilities were found twice by researchers, which includes April’s ‘Heartbleed’ bug in OpenSSL and September’s ‘Shellshock’ bug found in a Unix software known as Bash.

Experts alleged that assailants could steal session cookies in a so-called Poodle attack, and possibly steal email, banking and social networking data. Most security experts deem the threat as not so high-risk in comparison to the two bugs that were discovered previously.

Tal Klein, vice president of cloud security firm Adallom said, “If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6.”

Ivan Ristic, director of application security research at Qualys, said “Poodle” was not as dangerous as the past threats on the grounds that the attack seemed to be ‘quite complicated,’ which would require hackers to have privileged access to vulnerable networks.

Jeff Moss, founder of the Def Con hacking conference and an advisor to the U.S. Department of Homeland Security, said assailants would need to initiate a ‘man-in-the-middle’ attack, putting themselves in the middle of exploited users and sites utilizing techniques, for example, making independent Wi-Fi “hotspots” in internet cafes.

Google recommended a specialized bypass to secure web servers, yet included its blog that it wants to inevitably axe support for SSL 3.0 from all client programming.

Mozilla arranged to disable SSL 3.0 by default in the succeeding version of Firefox browser that is scheduled for released on November 25.

“SSL version 3.0 is no longer secure,” Mozilla advisory explains. “Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible.”
Microsoft issued a ccounselling proposing that users disable SSL 3.0 on Windows for servers and PCs.

Avatar
Carrie Ann
Carrie Ann is Editor-in-Chief at Industry Leaders Magazine, based in Las Vegas. Carrie covers technology, trends, marketing, brands, productivity, and leadership. When she isn’t writing she prefers reading. She loves reading books and articles on business, economics, corporate law, luxury products, artificial intelligence, and latest technology. She’s keen on political discussions and shares an undying passion for gadgets. Follow Carrie Ann on Twitter, Facebook

Recent Posts

Blackstone puts in an offer of $1.68 billion for St Modwen

Blackstone puts in an offer of $1.68 billion for St Modwen

Blackstone, the private equity firm, is planning to acquire St Modwen Properties, a logistics and housing developer, for £1.2bn ($1.68 billion) in a bid to take advantage of the P
9 hours ago
Tesla to lose millions as Stellantis ends CO2 credit buying deal

Tesla to lose millions as Stellantis ends CO2 credit buying deal

Stellantis, the carmaker formed earlier this year by the merger of Fiat Chrysler and PSA, has revealed that it no longer needs to buy emission credits from Tesla, which will result
1 day ago
AB InBev CEO Brito to step down

AB InBev CEO Brito to step down

Anheuser-Busch InBev SA’s Chief Executive Officer Carlos Brito will step down from his role, effective July 1 and Michel Doukeris will succeed him as the new CEO. Brito, who beca
1 day ago
Australia’s Officeworks stops sales of Apple’s AirTags on child safety concerns

Australia’s Officeworks stops sales of Apple’s AirTags on child safety concerns

Officeworks, the Australian office supply store chain, has pulled Apple’s newly launched AirTags from its store following safety concerns for children from its button battery
2 days ago
Ex Google AI scientist joins Apple after resigning in protest for unfair practices

Ex Google AI scientist joins Apple after resigning in protest for unfair practices

Apple, Inc. has hired a former Google AI scientist who resigned in protest against the firing of two employees from the Ethics division. Sammy Bengio, the ex-Google employee, will
3 days ago
Solid Power raises $130 million in second funding round from Ford and BMW

Solid Power raises $130 million in second funding round from Ford and BMW

Solid Power, a solid-state battery system startup, has raised $130 million in Series B funding led by Ford Motor Company and BMW Group. The Louisville, Colorado-based SSB developer
3 days ago