This time, the entire security community is abuzz with the latest SSLv3 vulnerability, codenamed the “Poodle” (Padding Oracle On Downgraded Legacy Encryption) – which basically allows a skilled attacker to carry out the “Man-in-the-middle” attack and eavesdrop on a “secure” (https) connection between a vulnerable client and server.
Why is all this happening now? I believe it’s the “bandaid” mentality. The SSL protocol is actually quite an ancient technology, developed by the “once-upon-a-time” famous company called Netscape (for those of you old enough to remember, the Netscape browser was the most popular browser in the late 80s and early 90s before IE killed it).
SSL version 1.0 and was never publicly released because of the various security flaws in it, version 2.0 was released in Feb 1995 but it still contained a number of security bugs which was addressed by the release of SSL ver 3.0.
I’m no cryptographic expert, but it would appear that instead of addressing the fundamental security issues/flaws in the SSL protocol, the developers decided to “bandaid” over it – each time a security bug was discovered in SSL ver 3.0, a new “bandaid” was applied.
Now, many years later, the evil Poodle emerges and attacks!
But of course, all is not lost (yet) – the good security folks recognizes the faults in the SSL protocol and started developing a more secure and robust protocol called “TLS” (Transport Layer Security) – which is backward compatible with SSL 3.0 to ensure nothing breaks.
Although the TLS protocol is available, many SSL clients still implement a protocol downgrade “dance” to work around the server side interoperability issues. Once this happens, the evil POODLE emerges! (For the more technically inclined, please see the links in the resources section for the technical discussion/papers).
Who is vulnerable? Nearly all the web-servers on the Internet – because SSL ver3.0 is enabled by default. Turning SSL3 off will cause many users (especially those using Firefox) unable to connect through the “secure” HTTPS
Are you vulnerable?
In most likely hood, the answer is yes. Point your browser to:
If you see this “cutie” poodle, you’re vulnerable to the SSLv3.0 bug.
Both my browsers – Firefox & Chrome showed that cute poodle. But I’m not worried (yet) … see the Poodle Solution below
The Poodle Solution!
Get a German Shepherd! Just joking – don’t stone me, all you poodle lovers!
BUT seriously, what does the SSL v3.0 / POODLE vulnerability mean for the average joe? Is the sky falling?
Fortunately not. The POODLE bug just means that if you are in a public wifi area, and you’re trying to do your Internet Banking (or access some sensitive data) via the “now-not-so-secure” HTTPS connection, you’re susceptible to the ‘man-in-the-middle’ attack where the attacker can hijack your connection and eavesdrop on you.
In other words, the attacker is able to steal your session cookies and use those to access your accounts (be it your email account, bank account, etc).
SO, to prevent that, don’t do anything that requires HTTPS connection in a public area! OR if you simply must, then invest in a VPN (or go through your company’s VPN).
The long term solution is for the vendors to fix this – RedHat, Debian, Ubuntu, Cpanel, Apache, etc – they are working round the clock from what I can tell to find a “proper” fix that will address this issue without breaking too many things.
The browser folks – Firefox/Mozilla, Google Chrome are working on a patch for their browsers as well. It is rumoured that Mozilla will drop support for SSL v3.0 (finally!!) on November 25th.
The Evil Poodle – SSL 3.0 Vulnerability (CVE-2014-3566)
Google Security Blog on the Poodle SSLv3.0 Bug
FedoraMagazine – what you need to know about the Poodle
Official Poodle SSLv3.0 Vulnerability by SANS ISC