New "POODLE" SSL3 vulnerability threatens HTTPS2014-10-15 09:44 by Daniela
Tags: POODLE, security, SSL, HTTPS
Google announced that it has discovered a security bug in the design of SSL version 3.0. Google's researchers Bodo Mueller, Thai Duong and Krzysztof Kotowicz developed an attack that exploits the SSL flaw and called it "POODLE," which stands for "Padding Oracle On Downgraded Legacy Encryption."
With such an attack hackers could steal browser "cookies", potentially taking control of email, banking and social networking accounts. However, security experts claim the threat is not as serious as the "Heartbleed" bug in OpenSSL protocol and "Shellshock" bug in Bash.
The security bug affects SSL version 3.0, which is nearly 15 years old. It has been replaced by TLS 1.0 and TLS 1.1 and TLS 1.2. However, most modern TLS implementations are still backward compatible with Open SSL 3.0 and therefore vulnerable to this particular flaw.
Google is preparing a patch for Chrome that would forbid falling back to SSL 3.0 for all servers, but "this change will break things and so we don't feel that we can jump it straight to Chrome's stable channel. But we do hope to get it there within weeks and so buggy servers that currently function only because of SSL 3.0 fallback will need to be updated."
Mozilla will also take actions to solve the problem. It plans to turn off SSL 3.0 in Firefox.
"SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25," said Mozilla in a post.
Read more -here-