Google Exposes 'Poodle' Vulnerability in Web Encryption Standard
| Marc Maligalig | | Oct 15, 2014 09:55 AM EDT |
(Photo : Reuters)
A newly discovered security hole in Secure Socket Layer 3.0 makes the 15 year-old protocol nearly impossible to use safely.
Bodo Möller, Krzysztof Kotowicz and Thai Duong, three security engineers at Google, published a report confirming this vulnerability.
The vulnerability reveals encrypted data to a hacker with access to the network. POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, is used by both Internet browsers and websites.
Like Us on Facebook
To fix the vulnerability, both must be weaned off SSL 3.0, and as long as the Secure Socket Layer 3.0 is supported, it remains a problem.
SSL 3.0 is no longer the most up-to-date embodiment of Internet encryption being used today, however. Möller said secure HTTP servers and browsers still require SSL 3.0 in case they face incompatibilities in Transport Layer Security, SSL's more advanced, less exploitable younger sibling.
The good news is that not much of the Internet depends on the outdated SSL 3.0. A team of researchers from the University of Michigan demonstrated that only a few websites still rely on SSL 3.0 for anything.
Less than 0.3 percent of communications between a server and a site rely on SSL3.0, while 0.42 percent of Alexa's top one million domains partly use it.
The problem with POODLE is that it can be used by hackers to force the browser to downgrade back to SSL 3.0
If either the server or browser encounters problems while connecting with TLS, browsers and sites often go back to SSL. Cyber attackers can force a failure in the connection that will then result in SSL 3.0 exposing the computer to hackers.
As turning off SSL 3.0 directly causes compatibility issues for servers and sites, Möller recommended that administrators for both include support for TLS_FALLBACK_SCSV, a protocol in TLS that prevents hackers from tricking browsers into downgrading not only to SSL 3.0, but to TLS 1.1 and 1.0 as well.
It "may help prevent future attacks," he wrote.
TagsPOODLE, Security engineers, internet security, hacker, SSL 3.0, TSL, browser, server
©2015 Chinatopix All rights reserved. Do not reproduce without permission
EDITOR'S PICKS
-
Did the Trump administration just announce plans for a trade war with ‘hostile’ China and Russia?
-
US Senate passes Taiwan travel bill slammed by China
-
As Yan Sihong’s family grieves, here are other Chinese students who went missing abroad. Some have never been found
-
Beijing blasts Western critics who ‘smear China’ with the term sharp power
-
China Envoy Seeks to Defuse Tensions With U.S. as a Trade War Brews
-
Singapore's Deputy PM Provides Bitcoin Vote of Confidence Amid China's Blanket Bans
-
China warns investors over risks in overseas virtual currency trading
-
Chinese government most trustworthy: survey
-
Kashima Antlers On Course For Back-To-Back Titles
MOST POPULAR
LATEST NEWS
Zhou Yongkang: China's Former Security Chief Sentenced to Life in Prison
China's former Chief of the Ministry of Public Security, Zhou Yongkang, has been given a life sentence after he was found guilty of abusing his office, bribery and deliberately ... Full Article
TRENDING STORY
China Pork Prices Expected to Stabilize As The Supplies Recover
-
Elephone P9000 Smartphone is now on Sale on Amazon India
-
There's a Big Chance Cliffhangers Won't Still Be Resolved When Grey's Anatomy Season 13 Returns
-
Supreme Court Ruled on Samsung vs Apple Dispute for Patent Infringement
-
Microsoft Surface Pro 5 Rumors and Release Date: What is the Latest?
