Internet security at risk from poodles

15 October 2014

poodle Google's security team - imagine some detective types with torches, illuminating the dark passageways of the internet - have discovered a potential vulnerability in SSL 3.0.

Google reckon that SSL 3.0 is an insecure, obsolete protocol that has since been superseded. But even when servers support the more secure TLS 1.0, TLS 1.1 or TLS 1.2, the downgrading that takes place between servers and clients can be exploited using a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

Bodo Möller from Google's security team points out that this move will "break some sites" and the advice is to support TLS_FALLBACK_SCSV instead, at least for the time being. OR THE POODLES WILL GET YOU.

Basically an attacker can force this protocol downgrade to take place by preventing the initial connection from taking place. The encryption used in SSL 3.0 is fairly easily cracked and a relatively simple attack can then be used to intercept and decrypt secure cookies.

What that means is that hackers could steal browser cookies and potentially end up controlling your email, bank details and social network accounts.

So yes. BEWARE POODLES! Not only that - these POODLES are similar to another vulnerability called Firesheep. It seems that the internet is under threat from animals that have fluffy fur.

These problems will only affect people who haven't updated their browsers in a while, so if you're using Internet Explorer 6, you may find your computer filling up with wool. So update your browser now, y'idiot.

TOPICS:   Technology

What do you think?

Your comment