Google on Tuesday revealed yet another Internet-wide security vulnerability with a cute name but potentially disastrous effects. POODLE (Padding Oracle On Downgraded Legacy Encryption) allows attackers to break the security of SSL 3.0, a protocol for secure Web communications that is 14 years old but still used as a last-ditch connection method with legacy devices or when others don't seem to work. SSL 3.0, also known as SSLv3, is only used when more modern protocols fail, and even then, of its two modes of encrypting data, one has long been known to be insecure. And now, as Google's researchers show, so is the other. Since an attacker can trick newer Web encryption methods into failing, causing connections to fall back to this old, and now completely ineffective protocol, the researchers conclude that "to achieve secure encryption, SSL 3.0 must be avoided entirely."
Like with Heartbleed and Shellshock, there's nothing end users can do about it, but companies worldwide will be scrambling to issue patches to their servers and embedded devices disallowing use of SSl 3.0. Google discovered the vulnerability a month ago in September, and, as is commonly done with such widespread issues, alerted software and hardware vendors some time before this public disclosure.
- Russian Hackers Target NATO, Ukraine and Others: iSight
- Shellshock' No More: Apple Rolls Out Fix for 'Bash' Bug on Macs