- How to stream Barcelona vs. Borussia Dortmund in Champions League action 5 Years Ago
- How to stream Liverpool vs. Napoli in Champions League action 5 Years Ago
- How to make real money with Amazon’s Mechanical Turk 5 Years Ago
- How to stream Chelsea vs. Valencia in the Champions League group stage Today 4:47 PM
- ‘SNL’ fires Shane Gillis for racist, homophobic comments Today 4:41 PM
- Ben Shapiro wants accusers to describe Brett Kavanaugh’s penis Today 4:30 PM
- Twitch suspends streamer for wearing Chun-Li cosplay Today 4:11 PM
- Report: 8 years of Trump tax returns subpoenaed by prosecutors Today 3:45 PM
- Netflix lands exclusive streaming rights to ‘Seinfeld’ Today 3:34 PM
- Jenny Slate sets first comedy special at Netflix Today 3:05 PM
- #EndSmearFear is aiming to save lives Today 2:54 PM
- Netflix ‘Living With Yourself’ trailer offers a double dose of Paul Rudd Today 2:07 PM
- How to stream the 2019-20 UEFA Champions League Today 2:04 PM
- Caitlyn Jenner ridiculed with transphobic jokes during Alec Baldwin roast Today 1:27 PM
- Brad Pitt confronts his daddy issues in the sci-fi epic ‘Ad Astra’ Today 1:20 PM
POODLE attacks can target SSL 3.0 Web encryption, Google finds
This really bites.
Yet another potentially disastrous security vulnerability has been revealed by Google—this time in a commonly used Web encryption standard.
A trio of Google security researchers on Tuesday unveiled the security hole in Secure Socket Layer (SSL) 3.0, dubbed POODLE, or “Padding Oracle On Downgraded Legacy Encryption.”
While SSL 3.0, used to encrypt Web traffic, is already considered obsolete—many clients and servers now rely on the more modern Transport Layer Security (TLS)—the threat posed by this bug is still widespread.
What makes the POODLE attack such an Internet-wide threat is a common protocol, known as a “downgrade dance,” which forces browsers and, crucially, secure HTTP servers to revert to SSL 3.0 in the event an encrypted channel cannot be established with TLS. Typically, this would be advantageous, providing outdated clients with at least some level of protection. However, the problem lies in how easy it is for an attacker to trigger a connection error and force the use of the vulnerable SSL 3.0.
Security researchers evaluating the Google team’s findings note that, while serious, the POODLE attack isn’t as threatening as other security issues that have arisen this year, such as Heartbleed and Shellshock. For instance, even if an attacker does somehow force a user’s connection to rely on SSL 3.0, they’d still need privileged access to the victim’s network in order to perform the attack. So one way for users to avoid being targeted would be to keep a strong password on their home network and simply avoid public Wi-Fi.
For good measure, Firefox users can install a security add-on that disables SSL 3.0 altogether. Chrome users can accomplish the same by adding a command line flag (–ssl-version-min=tls1) to their browser. (As you’ll see from the link, adding the code isn’t exactly quick or simple.)
Google notes in its report that, “In the coming months, we hope to remove support for SSL 3.0 completely from our client products.”
Photo via Greg Westfall/Flickr (CC BY 2.0)
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.