POODLE Is The New Security Flaw in SSL Found By Google - Should You Be Worried?
@dhananjay-0OEUGZ
•
Oct 27, 2024
Oct 27, 2024
1.3K
While the United States is celebrating National Cyber Security Awareness Month, researchers at Google have found a flaw in old yet widely used protocol-SSL 3.0. Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google have named the recently found vulnerability as PODDLE (Padding Oracle On Downgraded Legacy Encryption). With POODLE, an attacker can work out on plain-text of a secure connection that may include decrypting HTML cookies. According to researchers, POODLE flaw can affect Secure Socket Layer aka SSL protocol used for securing user’s session with web service. Though this is believed to be not-so-serious, we have to mention that POODLE has the potential to make your web browsing unsafe.
SSL is a protocol used to encrypt the session between browser and website, for say Facebook to restrict any unauthorized element. With POODLE, the attacker can decrypt such session and take control over your Facebook account without requiring your password. However, it’s not that easy as it sounds. The attacker must be on the same network as user is and user must be running JavaScript and a browser with SSL compatibility. Being an old protocol, many clients and web servers have replaced SSL with Transport Layer Security (TLS), but some of them still support it.
Google’s team said that there’s hardly any reason to worry for home users as there is no man-in-the-middle (of course, except NSA). The best solution is to support TLS_FALLBACK-SCSV at browsers and servers which won’t allow attacker to downgrade security handshakes to default to older standards. Unlike recently found vulnerabilities Heartbleed and Shellshock which attack servers, POODLE attacks clients. Google is unclear about how wide-spread the flaw is and advises to terminate the use of SSLv3 for secure encryption.
Source: #-Link-Snipped-# | #-Link-Snipped-# | <a href="https://www.openssl.org/~bodo/ssl-poodle.pdf" target="_blank" rel="nofollow noopener noreferrer">PDF</a>
SSL is a protocol used to encrypt the session between browser and website, for say Facebook to restrict any unauthorized element. With POODLE, the attacker can decrypt such session and take control over your Facebook account without requiring your password. However, it’s not that easy as it sounds. The attacker must be on the same network as user is and user must be running JavaScript and a browser with SSL compatibility. Being an old protocol, many clients and web servers have replaced SSL with Transport Layer Security (TLS), but some of them still support it.
Google’s team said that there’s hardly any reason to worry for home users as there is no man-in-the-middle (of course, except NSA). The best solution is to support TLS_FALLBACK-SCSV at browsers and servers which won’t allow attacker to downgrade security handshakes to default to older standards. Unlike recently found vulnerabilities Heartbleed and Shellshock which attack servers, POODLE attacks clients. Google is unclear about how wide-spread the flaw is and advises to terminate the use of SSLv3 for secure encryption.
Source: #-Link-Snipped-# | #-Link-Snipped-# | <a href="https://www.openssl.org/~bodo/ssl-poodle.pdf" target="_blank" rel="nofollow noopener noreferrer">PDF</a>