SSL Encryption Bitten by POODLE

Data at Risk: Super Scary Facts

Security news has officially gone to the dogs. Well, at least, it has gone to the POODLE, this week’s variation of our regularly scheduled scary security vulnerability.

This particular vulnerability is found in the SSL 3.0 encryption standard. POODLE stands for Padding Oracle On Downgraded Legacy Encryption, which is the exploit against this vulnerability. As the Rapid7 blog explained:

It allows an attacker to steal information over time by altering communications between the SSL client and the server (also known as a man in the middle attack, or MITM).

If both the client and server support SSL 3.0, the attacker can leak approximately one byte of clear-text for every 256 requests. To give you an idea of the amount of effort required to get anything useful out of this, it would take approximately 2,000 forced requests to leak enough data for the attacker to hijack a typical HTTP over SSL session. This would take a few minutes if exploited by an attacker that was silently forcing connections to another server in the background.

SSL 3.0 has been around for a long time – since 1996 – and is used by almost all browsers. One bright spot is that, because it is so old, few websites actually use it anymore. But as a CNET article pointed out, the reason we need to be concerned is because unlike Heartbleed and Shellshock, the vulnerabilities that POODLE is being compared to, no quick patch is coming. But users can take an important step to protect themselves from being bitten by POODLE: Stay clear of unencrypted public Wi-Fi. And browser developers are taking steps to protect users.

How dangerous could POODLE be? The opinions are mixed. For instance, Matthew Green, an assistant research professor of computer science at Johns Hopkins University, told FirstPost that while POODLE will be a pain to fix, it isn’t going to take down the Internet. At the same time, a Slate article is blaring that this vulnerability is bad news. In what might be my favorite comment in a security article this year, PC Magazine, after warning what POODLE could do, added this:

The good news is they won’t be able to steal your password.

Seeing that every vulnerability and breach story this year involved passwords, this appears to be a refreshing change.

But . . . in an email, Hagai Bar-El, CTO for Sansa Security, warned that the flaw in the SSL 3.0 encryption protocol could expose passwords and other sensitive details over ‘secure’ sessions via the possible MITM attacks.

I think this is a vulnerability that, while it needs to be taken very seriously, is a good reminder of the importance of always using smart security practices. Think twice about using public and/or unencrypted Wi-Fi connections, always keep all of your applications and software up to date, and install patches when prompted.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba