It may sound cute, but Poodle flaw poses serious SSL encryption threat

There's nothing cute about a poodle that can steal session cookies and feed cybercriminals emails and other personal information from victims, but that's exactly the sort of activity to which the Poodle flaw exposes users.

Mozilla is heralding an end to Secure Socket Layer 3.0 (SSL), as all web browsers have locked away support for the security protocol except Internet Explorer 6. Google discovered the Poodle flaw in late September.

"We have a plan to turn off SSLv3 in Firefox," says a Mozilla software engineer. "This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the Secure Sockets Layer or Transport Layer Security (TLS)."

Mozilla is rolling out a patch to sew up the Poodle flaw, but it's warning users to make sure browsers are configured for the update. Mozilla recommends ticking the box next to "automatically install updates," inside the Advanced section of Firefox's Preferences menu.

Mozilla says Firefox still uses SSL 3.0 for about 0.3 percent of secure website connections, but that number is still too high for the sheer volume of traffic the Internet handles each day. That 0.3 percent usage still jeopardizes millions of transactions each day, says Mozilla.

"Any website that supports SSLv3 is vulnerable to Poodle, even if it also supports more recent versions of TLS," says Mozilla. "In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail."

On the server side of things, sites using SSL will continue to put users at risk until they end support for the security protocol and embrace the newer TLS standard. The next version of Mozilla's web browsers, Firefox 34, will be released with SSL shut off by default.

As large-scale breaches continue to rock the Internet, web security teams have been stepping up efforts to spot vulnerabilities before they're exploited. However, security firms recently discovered a zero-day exploit that has been enabling hackers to spy on officials in NATO, Europe, energy firms and U.S. academic institutes.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics