Jesper “JJ” Jurcenoks VP Of Research At Critical Watch Explaining POODLE

A new Internet threat, dubbed POODLE (Padding Oracle On Downloaded Legacy Encryption), has been identified by Google researchers Thai Duong, Bodo Moller and Krzysztof Kotowicz. POODLE sounds cute but is no laughing matter. Although less problematic than Heartbleed or Shellshock, which were both discovered earlier this year, there are some serious privacy concerns associated with this security loophole. .

So what is POODLE?

Most online services use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt and protect information so it cannot be easily intercepted, spied on, or modified by hackers while in transit between you and your service provider.

POODLE is a flaw in the SSL version 3, an archaic means of encryption. Exploiting the flaw is not as easy as because it requires the attacker to be on the same network as the victim.

This type of encryption is used by old browsers and servers, which only comprises about one percent of today’s Web traffic, according to Alan Woodward, a security researcher from the University of Surrey. Unfortunately, an attacker that does get into your system can take the computer.

Are you vulnerable?

The best way to know if you’re vulnerable to POODLE is by going to Poodletest.com. If you see a Poodle, that means you’re vulnerable. If you see a Springfield Terrier, you’re in the clear. The presence of a poodle, however, doesn’t mean you’re doomed.

Users, can turn off SSL 3.0, and some services have already issued instructions on how to do so. Microsoft has advised users to disable SSL 3.0 on Windows servers and PCs as well as Internet Explorer; steps can be found here. But according to Woodward, customers should not be the one to disable SSL 3.0, as this is a job for systems administrators. He advises that people at home should use the latest browsers to be safe.

Twitter Inc. was quick to take action, completely disabling SSL 3.0 in response to the threat. Google announced that Chrome and its servers have “supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems.” The search giant also stated that it will be testing changes on Chrome that will disable fallback to SSL 3.0.

Another workaround is to use an encrypted VPN that doesn’t use SSL 3.0, or to make sure you don’t connect to an unencrypted WiFi network, such as a public network.

It’s time to update

Matthew Green, a cryptographer and research professor at Johns Hopkins University, explained on his blog why such a vulnerability exists – it’s because of Internet Explorer 6. The browser version, despite being a few years old, is still widely used, and uses SSL 3.0. Many servers still support SSL 3.0 fallback so users won’t hit a blank page while surfing the web.

“The problem with the obvious solution is that our aging Internet infrastructure is still loaded with crappy browsers and servers that can’t function without SSLv3 support. Browser vendors don’t want their customers to hit a blank wall anytime they access a server or load balancer that only supports SSLv3, so they enable fallback. Servers administrators don’t want to lock out the critical IE6 market, so they also support SSLv3. And we all suffer,” Green wrote.

Green added that the issue with SSL 3.0 will be “the straw that breaks the camel’s back and gets us to abandon obsolete protocols.”