Google Reveals ‘Poodle’ SSL Encryption Vulnerability

Google has exposed a design flaw in the widely used SSL web encryption technology (version 3.0), which has been around for 15 years.

Google researchers revealed the vulnerability, dubbed a Poodle attack, in a security blog posting.

Downgrade Dance

“This vulnerability allows the plaintext of secure connections to be calculated by a network attacker,” wrote Bodo Möller, from Google Security Team.

Möller pointed out that SSL 3.0 is widely used and supported as it is nearly 15 years old, but he indicated that Google intends to “completely remove” support for SSL 3.0 from its client products in the coming months, and has labelled it a “obsolete and insecure protocol.”

“Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0,” warned Möller. “Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.”

He advised the disabling of SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, but doing that can cause “significant compatibility problems.” Thus Google recommends support for TLS_FALLBACK_SCSV.

“This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0,” said Möller. “It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”

A security advisory has already been published, in which the researchers revealed how attackers can “exploit the downgrade dance and break the cryptographic security of SSL 3.0.”

“Our POODLE attack (Padding Oracle On Downgraded Legacy Encryption) will allow them, for example, to steal ‘secure’ HTTP cookies (or other bearer tokens) such as HTTP Authorisation header contents.”

Other Flaws

It has been something of a torrid time recently for SSL, but it is worth noting that there has been flaws discovered in the technology in previous years. However, this year has been an especially tough period.

In April chaos was caused by the “Heartbleed” bug after it was discovered in OpenSSL.

Last month  a serious vulnerability in Bash, dubbed ‘Shellshock’, was discovered in OS X. That flaw allowed an attacker to run a wide range of malicious code remotely.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago