SSL3 Vulnerability code-named 'Poodle'

google hacking internet linux poodle security ssl unix windows

SSL version 3 is still being supported across all platforms. That is , even though this encryption mechanism for the web is 15 years old, almost as old as Windows XP. Google researchers revealed today that SSL 3 might be vulnerable to Man in the Middle (MITM) attacks. Basically, an attacker who sits between you and your service provider (bank website, PayPal, etc.) will continue to send “downgrade encryption” requests to your web browser until it surrenders. What happens at the point? Your web browser agrees to use SSL 3 for encrypted communication which our ‘man in the middle’ is able to decrypt. Here is an amazing graphic from @jesperjurcenoks that explains the issue very well.

@jesperjurcenoks

Who is affected:

This vulnerability works if both server and client accept SSL v3. Currently, researchers have shown that the adversary would need to be on same network as you. This includes public Wi-Fi such as Starbucks, TWC Wi-Fi etc.

Browser support for SSL3:

Both Google Chrome and Mozilla Firefox are going to completely remove SSL3 support.

What should I do:

At this point, Google recommends the use of TLSFALLBACKSCSV in addition to disabling SSL v3 completely. I guess it is time SSL 3 joins XP in legacy software heaven :)

Other resources:

Google security blog: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

Original paper: This POODLE Bites: Exploiting The SSL 3.0 Fallback    https://www.openssl.org/~bodo/ssl-poodle.pdf

Redhat support page: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3566

The author would love to hear your comments. Let us discuss at Twitter @qasimchadhar.