POODLE: Vulnerability to SSL 3 was discovered by Google

It turns out that Secure Sockets Layer (SSL) encryption that we report as secure internet communication is vulnerable. Today researchers from Google have announced (PDF) that they have discovered a bug (POODLE) in SSL 3.0. The exploit could be used to track sensitive data that is supposed to be encrypted between the client and the server.poodle ssl security

The exploit first allows attackers to launch a "downgrade dance" or "downgrade dance" as reported by Google, telling the customer that the server does not support the most secure TLS (Transport Layer Security) protocol, and forces it to connect via SSL 3.0. From there, he can perform a man-in-the-middle attack to decipher secure HTTP cookies. Google calls POPODLE vulnerability (Padding Oracle On Downgraded Legacy Encryption).

In other words, your data is no longer encoded. Google researchers, Bodo Möller, Thai Duong and Krzysztof Kotowicz, recommend disabling SSL 3.0 on servers and clients. The server and client will predefine TSL to make a secure connection and exploitation will not be possible.

For end-users, if your browser supports it, disable SSL 3.0, or even better use TLS_FALLBACK_SCSV (Transport Layer Security Signaling Cipher Suite Value) tools. This will prevent downgrading attacks. Google said it would launch testing on Chrome to disable the use of SSL 3.0 before removing protocol support from all its products in the coming months. In fact, there is already one available Chromium patch which disables SSL.

The foundation Mozilla is planning also disable SSL 3.0 in Firefox. "SSLv3 will be disabled by default in Firefox 34, which will be released on November 25."

Anyone interested in disabling SSL 3.0 in Firefox can do so with SSL Version Control add on for Firefox.

iGuRu.gr The Best Technology Site in Greecegns

every publication, directly to your inbox

Join the 2.112 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).