Google researchers have uncovered a security vulnerability in the widely used SSL version 3.0 that they say could allow hackers to take over accounts for email, banking and other services.
Researchers Bodo Moller, Thai Duong and Krzysztof Kotowicz created a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack that exploited the flaw, prompting makers of web browsers and server software to tell users to disable SSL 3.0. SSL 3.0 has been superseded by Transport Layer Security, but the flaw could still leave users of old browsers and unpatched servers vulnerable, and even newer browsers can sometimes deploy SSL 3.0 encryption.
Poodle is the third SSL vulnerability to be found this year following Heartbleed and Shellshock, but experts have suggested that the threat from Poodle is not as serious as the previous two vulnerabilities.
According to Matthew Green, a professor at John Hopkins University’s department of computer science, Poodle allows an attacker to control the internet connection between a person’s browser and server, and run some code in their browser to potentially decrypt authentication cookies for sites such as Google, Yahoo and banks.
“This is obviously not a good thing, and unfortunately the attack is more practical than you think,” Green said on his blog.
Stuart Morgan, senior security consultant at MWR InfoSecurity suggested that the likelihood of it being an issue for the vast number of users is minimal as the SSL protocol version 3.0 is practically “obsolete”.
However, security experts are treating it as an area of concern due to the fact that even the newest browsers can still fall back to SSL 3.0.
“If enterprises wanted to be extra secure, they could completely disable SSL 3.0 support in browsers, meaning they would never fall back beyond TLS 1.0,” said Morgan.
“It’s worth nothing that since this will probably be the final nail in the coffin for SSL 3.0 support, we may see browser updates soon from Microsoft, Google, Apple and Firefox that will disable it by default,” he added.
But most security experts seem to feel that the vulnerability is not a huge concern.
“This is not another Heartbleed. It’s bad, but it’s not going to destroy the internet,” Green said.
“Given the access that you need to be able to successfully launch the Poodle attack, it would not be the easiest realistic attack to perform anyway,” Morgan added.
“There are plenty of other attacks to choose from; most are less elegant but are far more likely to result in compromise than this”.