- People on Twitter ask whose ancestors would’ve passed immigrant ‘wealth test’ Monday 6:54 PM
- Kobe Bryant helicopter crash mocked in teen’s TikTok video Monday 6:38 PM
- Chiefs, Bears, Packers have Twitter accounts hacked Monday 3:48 PM
- Washington Post reporter suspended amid backlash over Kobe Bryant tweet Monday 3:08 PM
- America is united in hating Ken Starr’s impeachment hat Monday 3:01 PM
- In ‘Cuties,’ the contradictions of growing up come to a head Monday 1:55 PM
- Racist tweets blame fruit bat soup for coronavirus Monday 1:25 PM
- What is the #ILeftTheGOP movement? Monday 1:21 PM
- The Grammys were weird and sad—but the Billy Porter hat memes offered some levity Monday 12:36 PM
- Auschwitz Museum calls on Facebook to ban Holocaust denialism Monday 11:59 AM
- YouTuber who said his girlfriend was dead now says he faked it Monday 11:42 AM
- Review: Kentucky Route Zero is one of the most magical games ever made Monday 11:00 AM
- Backlash grows against Clearview as lawsuit looms Monday 10:58 AM
- Tyler the Creator calls out the Grammys for racism over ‘Rap Album’ win Monday 10:25 AM
- Democrats call on John Bolton to testify after book bombshell Monday 9:56 AM
POODLE attacks can target SSL 3.0 Web encryption, Google finds
This really bites.
Yet another potentially disastrous security vulnerability has been revealed by Google—this time in a commonly used Web encryption standard.
A trio of Google security researchers on Tuesday unveiled the security hole in Secure Socket Layer (SSL) 3.0, dubbed POODLE, or “Padding Oracle On Downgraded Legacy Encryption.”
While SSL 3.0, used to encrypt Web traffic, is already considered obsolete—many clients and servers now rely on the more modern Transport Layer Security (TLS)—the threat posed by this bug is still widespread.
What makes the POODLE attack such an Internet-wide threat is a common protocol, known as a “downgrade dance,” which forces browsers and, crucially, secure HTTP servers to revert to SSL 3.0 in the event an encrypted channel cannot be established with TLS. Typically, this would be advantageous, providing outdated clients with at least some level of protection. However, the problem lies in how easy it is for an attacker to trigger a connection error and force the use of the vulnerable SSL 3.0.
Security researchers evaluating the Google team’s findings note that, while serious, the POODLE attack isn’t as threatening as other security issues that have arisen this year, such as Heartbleed and Shellshock. For instance, even if an attacker does somehow force a user’s connection to rely on SSL 3.0, they’d still need privileged access to the victim’s network in order to perform the attack. So one way for users to avoid being targeted would be to keep a strong password on their home network and simply avoid public Wi-Fi.
For good measure, Firefox users can install a security add-on that disables SSL 3.0 altogether. Chrome users can accomplish the same by adding a command line flag (–ssl-version-min=tls1) to their browser. (As you’ll see from the link, adding the code isn’t exactly quick or simple.)
Google notes in its report that, “In the coming months, we hope to remove support for SSL 3.0 completely from our client products.”
Photo via Greg Westfall/Flickr (CC BY 2.0)
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.