Tuesday was not a good day for Internet security as various major technology companies, including Microsoft, Oracle and Adobe, scrambled to issue updates to pressing security issues. At the very least, the patches brought in some semblance of good news, but the day isn't over yet.
As a matter of fact, Google has just announced that it discovered another security hole, one found in SSL, the same protocol that is used to encrypt data transmitted over the Internet. Google security expert Bodo Möller calls the vulnerability Poodle, short for Padding Oracle On Downgraded Legacy Encryption, and this Poodle is definitely one the Internet is not going to love.
Möller, who discovered Poodle with the help of fellow Google engineers Thai Duong and Krzysztof Kotowicz, enables a network attacker to obtain information about the user that should have been otherwise protected by encryption, such as HTTP cookies that identify the user's browser with a certain website, such as Gmail or Twitter.
"This vulnerability allows the plaintext version of secure connections to be calculated by a network attacker," Möller says.
However, there is some silver lining to this piece of bad news. For one thing, any hackers looking to exploit the vulnerability should be on the same network as other people. This means users on their private Wi-Fi networks at home, for instance, shouldn't have to worry as much as others who connect to the Internet, say, on Panera's public Wi-Fi.
Also, the Poodle is particularly limited to SSL 3.0, a 15-year-old technology that is widely replaced by newer protocols TLS 1.0, TLS 1.1 and TLS 1.2. However, SSL 3.0 is still used as a backup in most web browsers in case they are unable to connect using the more modern protocols. Attackers can still exploit the issue during network glitches or by actively triggering a downgrade to the older protocol.
Thankfully, the security hole can be easily patched by disabling support for SSL 3.0, although at the risk of compatibility issues for users who are using web browsers that support only SSL 3.0, such as Internet Explorer 6 for Windows XP. Möller says the best solution is to use TLS_FALLBACK_SCSV, a mechanism that prevents attackers from forcing web browsers to downgrade to SSL 3.0.
No attacks known to have exploited the issue have yet been brought to light. Cloudflare, a company that offers security and web performance solutions used by around five percent of all websites on the Internet, says less than one percent of these websites are affected by Poodle.
"This one is not as bad as Heartbleed and it is definitely not as bad as Shellshock," says head of security engineering at Cloudflare Nick Sullivan.
