Article Lead Image

POODLE attacks can target SSL 3.0 Web encryption, Google finds

This really bites.


Dell Cameron


Posted on Oct 15, 2014   Updated on May 30, 2021, 9:59 am CDT

Yet another potentially disastrous security vulnerability has been revealed by Google—this time in a commonly used Web encryption standard. 

A trio of Google security researchers on Tuesday unveiled the security hole in Secure Socket Layer (SSL) 3.0, dubbed POODLE, or “Padding Oracle On Downgraded Legacy Encryption.”

While SSL 3.0, used to encrypt Web traffic, is already considered obsolete—many clients and servers now rely on the more modern Transport Layer Security (TLS)—the threat posed by this bug is still widespread. 

What makes the POODLE attack such an Internet-wide threat is a common protocol, known as a “downgrade dance,” which forces browsers and, crucially, secure HTTP servers to revert to SSL 3.0 in the event an encrypted channel cannot be established with TLS. Typically, this would be advantageous, providing outdated clients with at least some level of protection. However, the problem lies in how easy it is for an attacker to trigger a connection error and force the use of the vulnerable SSL 3.0.

Security researchers evaluating the Google team’s findings note that, while serious, the POODLE attack isn’t as threatening as other security issues that have arisen this year, such as Heartbleed and Shellshock. For instance, even if an attacker does somehow force a user’s connection to rely on SSL 3.0, they’d still need privileged access to the victim’s network in order to perform the attack. So one way for users to avoid being targeted would be to keep a strong password on their home network and simply avoid public Wi-Fi. 

For good measure, Firefox users can install a security add-on that disables SSL 3.0 altogether. Chrome users can accomplish the same by adding a command line flag (–ssl-version-min=tls1) to their browser. (As you’ll see from the link, adding the code isn’t exactly quick or simple.)

Google notes in its report that, “In the coming months, we hope to remove support for SSL 3.0 completely from our client products.”

Photo via Greg Westfall/Flickr (CC BY 2.0)

Share this article
*First Published: Oct 15, 2014, 10:52 am CDT