CHINA TOPIX

12/22/2024 07:41:55 pm

Make CT Your Homepage

Google Exposes 'Poodle' Vulnerability in Web Encryption Standard

Internet security

(Photo : Reuters)

A newly discovered security hole in Secure Socket Layer 3.0 makes the 15 year-old protocol nearly impossible to use safely.

Bodo Möller, Krzysztof Kotowicz and Thai Duong, three security engineers at Google, published a report confirming this vulnerability.

The vulnerability reveals encrypted data to a hacker with access to the network. POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, is used by both Internet browsers and websites.

Like Us on Facebook

To fix the vulnerability, both must be weaned off SSL 3.0, and as long as the Secure Socket Layer 3.0 is supported, it remains a problem.

SSL 3.0 is no longer the most up-to-date embodiment of Internet encryption being used today, however. Möller said secure HTTP servers and browsers still require SSL 3.0 in case they face incompatibilities in Transport Layer Security, SSL's more advanced, less exploitable younger sibling.

The good news is that not much of the Internet depends on the outdated SSL 3.0. A team of researchers from the University of Michigan demonstrated that only a few websites still rely on SSL 3.0 for anything.

Less than 0.3 percent of communications between a server and a site rely on SSL3.0, while 0.42 percent of Alexa's top one million domains partly use it.

The problem with POODLE is that it can be used by hackers to force the browser to downgrade back to SSL 3.0

If either the server or browser encounters problems while connecting with TLS, browsers and sites often go back to SSL. Cyber attackers can force a failure in the connection that will then result in SSL 3.0 exposing the computer to hackers.

As turning off SSL 3.0 directly causes compatibility issues for servers and sites, Möller recommended that administrators for both include support for TLS_FALLBACK_SCSV, a protocol in TLS that prevents hackers from tricking browsers into downgrading not only to SSL 3.0, but to TLS 1.1 and 1.0 as well.

It "may help prevent future attacks," he wrote.

Real Time Analytics