Heartbleed, BASH and now POODLE - new SSL vulnerability discovered

Researchers from Google have announced the discovery of another major flaw in Web Security. It has been called POODLE and follows hot on the heels of Bash and Heartbleed. 

The vulnerability is rooted in SSL v3.0 that is used as part of the security framework used for encryption across the Internet. The POODLE bug makes it possible for hackers to use a ‘man in the middle’ attack to gain access to data. 

Unlike Heartbleed and Bash this vulnerability affects the client side browsers not servers.  The attack works by fooling servers to accept SSL 3.0 in what has been termed a ‘downgrade dance’.  Once the server has accepted the SSL 3.0 protocol a POODLE, that stands for Padding Oracle On Downgraded Legacy Encryption, can decrypt your data.  

This means SSL 3.0 is no longer secure and updates to browsers to address the problem will be rolled out shortly.  Although SSL 3.0 has been superseded by TLS for operational and compatibility reasons many servers allow browsers to use SSL 3.0 through a process called ‘insecure fallback’.  As TLS is backwards compatible with SSL even sites that use the newer standard are vulnerable. 

A POODLE Attack can be used against against all browsers or Sites that support SSL 3.0.  The advice contained in the advisory note is for system administrators to disable support for for SSL 3.0 or at least turn off CBC. For most modern systems this should be a straightforward fix, but for older browsers and servers this may present compatibility problems.

You can find the advisory from Google below.

/sites/default/files/images/ssl-poodle.pdf