POODLE in the middle

Looks like the trend of security flaws in encryption protocols continues. Heartbleed, Bash Shellshock, and now POODLE. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This basically means that on encrypted HTTPS connections, applications like browsers will be forced to default down from TLS to SSL 3.0 even when the application supports all the versions of TLS. SSL 3.0 has been shown to be vulnerable to man-in-the-middle attacks since about 15 years ago. However, many applications and servers still use it because they have not adopted the TLS standard for encryption. An example of this is Internet Explorer 6. Many servers still allow browsers to connect using SSL 3.0, like IE 6, which cannot support TLS. If servers or websites dropped connections that did not support TLS encryption, the applications that only had SSL 3.0 would be dropped as well. Even though the majority of currently browsers support TLS, there are still some people who use older browsers. Even newer browsers use the SSL 3.0 protocol as backup, and this is the mechanism that the POODLE attack uses to hack a computer. In order for a hacker to be able to listen in and intercept your private data with the POODLE attack, they have to be within the same network as you, usually in a public Wi-Fi setting, and then have to inject malicious JavaScript code in your computer from visiting a compromised website, then they can start their man-in-the-middle attack to intercept your cookies and other data.

Browsers like Google Chrome and Mozilla Firefox have already patched this flaw by using the mechanism of TLS_FALLBACK_SCSV, which prevents the automatic fallback down to SSL 3.0. Google engineers are the ones that found the POODLE Vulnerability, which will effectively kill any future use (finally!) of SSL 3.0. Chrome will go beyond patching this vulnerability and will get rid of SSL 3.0 from their browser in the next version of the browser (good riddance!). Internet Explorer released a fixit to Even Sony is patching this on their PS3 and PS4 consoles, permanently getting rid of SSL 3.0 as a form of encryption.

There are still some servers (websites) that still rely on SSL 3.0 to authenticate with the clients, but this is slowly getting patched. Even OpenSSL (which was victim of the Hearbleed bug earlier this year) has patched their code with the included the TLS_FALLBACK_SCSV mechanism. However, the good news regarding POODLE vulnerability stop there. There is a Variant that affects TLS connections as well, but that’s a topic for another blog post.

TRA consulting not only focuses on Home Personal security, but also in SMB (Small to Medium size Businesses) security. Our goal is to provide full IT support to growing small businesses who are too small to have a full time IT staff, yet big enough that they need one. We have many highly satisfied customers in the Long Beach, Orange County, South bay, and Los Angeles area. Contact us today, and let us take care of all of your computer security needs. Our prices are reasonable and our services are top notch. Our motto is “minimum fuss, maximum satisfaction”. Call us Today!!