We’ve heard about a lot of bugs this year, not the least of which being the recent “Shellshock” bug. Now Google researchers have discovered a bug in SSL 3.0 that could allow hackers to nab user data. The discovery was detailed today in a report published by the team, which says they were able to breach the protocol using what they call a “POODLE” attack — Padding Oracle On Downgraded Legacy Encryption attack. With this, they have recommended that SSL 3.0 be disabled to mitigate the problem.
The discovery was made by Google researchers Thai Duong, Krzysztof Kotowicz, and Bodo Moller, who say the vulnerability they discovered can be exploited using what they refer to as a “downgrade dance”. This communicates to the target that TLS isn’t supported, causing it to connect with SSL 3.0 instead.
Once connected, a man-in-the-middle attack can then be used to get secure HTTP cookies, among other things, leaving users’ data vulnerable to interception. The team goes into extensive detail about their discoveries, which you can read for yourself in the report.
With the exception of machines that only support SSL 3.0 (“then all hope is gone,” say the researchers), disabling SSL 3.0 is the best solution to the problem. This goes for both clients and servers. They do say, however, that “Disabling SSL 3.0 entirely right away may not be practical if it is needed occasionally to
work with legacy systems. Also, similar protocol version downgrades are still a concern
with newer protocol versions (although not nearly as severe as with SSL 3.0).”