A new security hole was recently discovered in a basic protocol used for encrypting web traffic. Its name is POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, and it was discovered by three Google security researchers who published a paper about it.
POODLE affects SSLv3 or version 3 of the Secure Socket Layer protocol, which is used to encrypt traffic between a browser and a web site, or between a user’s email client and mail server. SSL is a cryptographic protocol used to provide encryption and authentication security. SSLv3 is the most recent variant – and has been widely used in browsers including Google Chrome, Mozilla Firefox, IE, Opera, and Safari. Primarily all browsers on Windows PCs, Windows Servers, Macs, tablets and smart phones may be affected. Additionally, SSLv3 is also used on Unix and Linux platforms.
This threat is not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.
The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3. Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that support SSLv3 as an alternative to use whenever a TLS connection to a web server fails. An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session.
“This attack is really against clients — you have to worry about it if you’re in a place like Starbucks,” says Rob Graham, CEO of Erratasec. “If you’re at home there’s probably no need to panic.”
Heartbleed and Shellshock were vulnerabilities that allowed an attacker to hack a server. POODLE instead targets the clients.
“The fear of rushing to go fix this is very low because of that,” Graham says. “People with servers can’t get hacked, and people with vulnerable clients also can’t get hacked unless they’re on an open Wi-Fi.”
Taking into consideration that this information could be overwhelming, the best practice is to upgrade older versions of browsers and disable SSLv3, as there is no other fix available at this time.
The following browsers support TLS 1.0 (and must be configured to disable SSLv3):
- Google Chrome v1
- Firefox v1
- Internet Explorer v7
- Safari v1
It is also recommended to upgrade email versions that use TLS 1.1:
- Apple Mail (OS X Panther)
- Outlook 2003 (SP2) or higher
- Outlook Express 4.0 or higher
- Thunderbird 2.0
- Entourage 2008
First Financial updates our systems regularly and your data security is the highest priority. Should you have any further questions or concerns regarding this matter, please contact Member Services at 866.750.0100 or email firstname.lastname@example.org.
Article Source: http://www.wired.com/2014/10/poodle-explained/