Google has exposed a design flaw in the widely used SSL web encryption technology (version 3.0), which has been around for 15 years.
Google researchers revealed the vulnerability, dubbed a Poodle attack, in a security blog posting.
“This vulnerability allows the plaintext of secure connections to be calculated by a network attacker,” wrote Bodo Möller, from Google Security Team.
Möller pointed out that SSL 3.0 is widely used and supported as it is nearly 15 years old, but he indicated that Google intends to “completely remove” support for SSL 3.0 from its client products in the coming months, and has labelled it a “obsolete and insecure protocol.”
He advised the disabling of SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, but doing that can cause “significant compatibility problems.” Thus Google recommends support for TLS_FALLBACK_SCSV.
“This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0,” said Möller. “It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”
A security advisory has already been published, in which the researchers revealed how attackers can “exploit the downgrade dance and break the cryptographic security of SSL 3.0.”
“Our POODLE attack (Padding Oracle On Downgraded Legacy Encryption) will allow them, for example, to steal ‘secure’ HTTP cookies (or other bearer tokens) such as HTTP Authorisation header contents.”
It has been something of a torrid time recently for SSL, but it is worth noting that there has been flaws discovered in the technology in previous years. However, this year has been an especially tough period.
In April chaos was caused by the “Heartbleed” bug after it was discovered in OpenSSL.
Last month a serious vulnerability in Bash, dubbed ‘Shellshock’, was discovered in OS X. That flaw allowed an attacker to run a wide range of malicious code remotely.
Are you a security pro? Try our quiz!
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…