- Oct 23, 2012
- 12,527
Is Internet security crumbling around us? With all of the recent issues, it sure seems like it. From Heartbleed impacting OpenSSL connections, to Shellshock impacting most of the web, to the constant reports of stolen personal data, it feels like security professionals are losing the war against the bad guys.
The latest issue comes from a trio of Google researchers who have announced an attack on SSLv3 called POODLE. Short for, "Padding Oracle On Downgraded Legacy Encryption," the attack can be used to downgrade a connection from the TLS standard and instead force an SSLv3 connection, which can then be attacked to steal cookie information. Once the cookie is obtained, the attacker could potentially impersonate a user session for themselves.
It's important to note that SSLv3 has been around for nearly 15 years and has been replaced by TLS 1.0, 1.1, and 1.2. However, older browsers, like Internet Explorer 6, aren't designed to handle the newer encryption standards, and therefore web servers (and browsers) have left the old version around for compatibility purposes.
Since the SSLv3 protocol is no longer secure, it is now being phased out of browsers. Google announced that they will be removing support for the SSLv3 "in the coming months," while Mozilla stated that it will be removed in Firefox 34 which will be released on November 25th.
Overall, this isn't a big deal for most end users, especially once the browsers remove compatibility for the older standard. For people managing servers, there will be some scrambling over the next few days to try and remove support while minimally impacting customers.
Source: Google | Poodle image courtesy of Shutterstock
The latest issue comes from a trio of Google researchers who have announced an attack on SSLv3 called POODLE. Short for, "Padding Oracle On Downgraded Legacy Encryption," the attack can be used to downgrade a connection from the TLS standard and instead force an SSLv3 connection, which can then be attacked to steal cookie information. Once the cookie is obtained, the attacker could potentially impersonate a user session for themselves.
It's important to note that SSLv3 has been around for nearly 15 years and has been replaced by TLS 1.0, 1.1, and 1.2. However, older browsers, like Internet Explorer 6, aren't designed to handle the newer encryption standards, and therefore web servers (and browsers) have left the old version around for compatibility purposes.
Since the SSLv3 protocol is no longer secure, it is now being phased out of browsers. Google announced that they will be removing support for the SSLv3 "in the coming months," while Mozilla stated that it will be removed in Firefox 34 which will be released on November 25th.
Overall, this isn't a big deal for most end users, especially once the browsers remove compatibility for the older standard. For people managing servers, there will be some scrambling over the next few days to try and remove support while minimally impacting customers.
Source: Google | Poodle image courtesy of Shutterstock
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
