Lifewithtech

View Original

Security Alert: POODLE Attacks SSL3

Security Socket Layer (SSL) Vulnerability AKA POODLE

Blocks a specific type of encryption algorithm within the protocol where it takes advantage of the negotiation feature within SSL/TLS to force the use of SSL

While SSL 3.0 is an outdated encryption standard which has generally been replaced by Transport Layer Security (TLS). Most implementations remain backwards compatible Which becomes the root problem here. POODLE can and leverages this vulnerability to decrypt content within the SSL session. Even though many systems are defaulting to TLS they still have SSL enabled in essence. By causing a failed connection attempt to TLS will cause the protocol to fall back to SSL 3.0 and there is the loop hole for POODLE.

Once in, Poodle will create a high number of connections between the client and server machines while it decrypts the SSL session byte by byte.

 

In order for POODLE t be Successful the following conditions must be met

  • The attacker must be able to control portions of the client side of the SSL connection
  • The attacker must have visibility of the resulting ciphertext. Which results in something like a Man-in-theMiddle (MITM) form of attack

 

Can I test to see if I’m vulnerable?

Yes. Visit this website: https://www.poodletest.com/.

Can I test websites to see if they’re vulnerable?

Yes. Visit this website: http://www.poodlescan.com/

 

How to fix this

The only correct way to fix POODLE is to disable SSL v3.0 in all your browsers. The problem is, there isn’t an easy way to do this right now. Each browser will be rolling out fixes soon so make sure to upgrade asap. Admins should also disable SSL v3.0 on their servers.

Apple has released Security Update 2014-005, which disables CBC-mode ciphers in coordination with SSLv3. The patch is available for Mac OS MavericksMountain Lion, and Yosemite.

 

Suggestions

Until your favorite web browser releases a fix, I would stay away from any public WiFi network and wait until you get home to do anything important over SSL. Your home computer on your own network should be pretty secure and you shouldn't have to worry there.

As always knowing is half the battle. Stay informed and keep connected.