Arraya Insights | October 23, 2014
The vulnerability, which was discovered by Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz, affects SSL 3.0 encryption software. Poodle (short for “Padding Oracle On Downloaded Legacy Encryption”) could make it possible for a hacker to gain access to and decrypt small data files known as cookies. Once they steal that info, hackers could then use it to take control of a person’s accounts.
As far as encryption software goes, SSL 3.0 is pretty much obsolete. Most browsers will first look to use newer, more secure encryption methods. However, and there’s always a however, even modern browsers will default back to SSL 3.0 if a newer option isn’t available. Some experts have theorized that browsers are set up this way so that people who are still clinging to legacy browsers (like IE 6 for Windows XP) will still be able to access secure sites.
Because of that fallback setting, hackers can trick a modern browser to think SSL 3.0 is the only encryption option available and then take advantage of the Poodle liability, putting even more folks at risk, even those that diligently update their software. In order to launch this type of attack, the hacker would need access to the same network as his or her victims. So public Wi-Fi at a coffee shop or an airport would likely make for an attractive target.
Due to the specifics required to exploit it and the fact that it targets individuals and not whole servers, Poodle isn’t seen to be as big of a risk as Heartbleed and Shellshock.
Still, sites like Twitter have already disabled SSL 3.0 in response to the Poodle vulnerability, while Mozilla plans to have SSL 3.0 disabled by default in its upcoming Firefox 34 release, which is due out on Nov. 25. According to Adam Langley, who works on Google’s Chrome browser, Google has considered implementing a permanent patch, but since the fix will cause problems for users of legacy browsers, it will hold off to give them a chance to upgrade.
If your people are only accessing your system through a private Wi-Fi network or through a secure VPN connection (one that doesn’t support SSL 3.0), then you’re likely in the clear. However, it’s a good idea to lock SSL 3.0 out of your network and push users towards newer encryption methods such as TLS 1.x, just in case. The time is probably also right for IT to do a quick diagnostic to see what browser version employees are using and help update anyone whose software is out of date.
For more tips on cyber security, check out Arraya’s series of articles on National Cyber Security Awareness Month. Also, to find out how Arraya can help you keep your system secure and up to date, visit www.ArrayaSolutions.com or contact your Arraya rep now.
Arraya’s previous National Cyber Security Awareness Month posts include: