Warning: There’s a rabid POODLE running loose in SSL


This Wednesday, researchers at Google published a paper stating that there is a new Internet-wide security vulnerability affecting version 3 of the Secure Sockets Layer protocol. This is a protocol used to encrypt traffic between your browser and a web server or your email client and an email server. Attackers who leverage this vulnerability could use it to intercept and decrypt session cookies, which would enable them to log into your online accounts without a password.

POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, is primarily a concern for users who connect to the Internet through public networks. Attackers must be on the same network as you to leverage the vulnerability, and furthermore you must be using SSLv3 to communicate with a server. The good news is that unless you are using technology from about 13 years ago (namely, Internet Explorer 6 on Windows XP), your machine is most likely using the more modern and invulnerable TLS protocol to perform encryption. Researchers have indicated, however, that some computers will automatically downgrade to SSLv3 in instances where TLS communication fails. It is this last possibility that will give attackers the greatest opportunity to perform POODLE exploitation.

Besides acting as yet another nail in the XP coffin, POODLE may spell trouble for users who connect to the Internet through networks outside of their home. If that’s you, and you’re looking for more information on why vulnerabilities like POODLE can be a problem in public networks, check out our recent Security Knowledge article on firewalls, and consider adding a software-based firewall like Emsisoft Internet Security to your armory.

To find out if your browser is vulnerable to POODLE, you can now also navigate to PoodleTest.com.

Have a great (POODLE-free) day!

System administrators looking for technical threat mitigation measures, see a statement from Google on POODLE here.

 

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next