It turns out that the Secure Sockets Layer (SSL) encryption we refer to as secure communication on the internet has a vulnerability. Today researchers from Google announced (PDF) that they have discovered a bug (POODLE) in the protocol SSL 3.0. Το exploit θα μπορούσε να χρησιμοποιηθεί για την παρακολούθηση ευαίσθητων data which are supposed to be encrypted between the client and the server.
The exploit first allows attackers to start a "downgrade dance" as Google refers to it, which tells the client that the server does not support the more secure TLS (Transport Layer Security) protocol, and forces them to connect via SSL 3.0. From there it can perform a man-in-the-middle attack to decrypt secure HTTP cookies. Google calls the vulnerability POODLE (Padding Oracle On Downgraded Legacy Encryption).
In other words, your data is no longer encoded. Google researchers, Bodo Möller, Thai Duong and Krzysztof Kotowicz, recommend disabling SSL 3.0 on servers and clients. The server and client will predefine TSL to make a secure connection and exploitation will not be possible.
For end users, if your browser supports it, disable SSL 3.0 or better yet use tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signaling Cipher Suite Value). This will prevent attacks degradation. Google said it will begin tests in Chrome to disable the use of SSL 3.0 before removing support for the protocol entirely from all of its products in the coming months. In fact, there is already one available Chromium patch which disables SSL.
The foundation Mozilla is planning also disable SSL 3.0 in Firefox. "SSLv3 will be disabled by default in Firefox 34, which will be released on November 25."
Anyone interested in disabling SSL 3.0 in Firefox can do so with SSL Version Control add on for Firefox.
