Google has exposed a design flaw in the widely used SSL web encryption technology (version 3.0), which has been around for 15 years.
Google researchers revealed the vulnerability, dubbed a Poodle attack, in a security blog posting.
“This vulnerability allows the plaintext of secure connections to be calculated by a network attacker,” wrote Bodo Möller, from Google Security Team.
Möller pointed out that SSL 3.0 is widely used and supported as it is nearly 15 years old, but he indicated that Google intends to “completely remove” support for SSL 3.0 from its client products in the coming months, and has labelled it a “obsolete and insecure protocol.”
He advised the disabling of SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, but doing that can cause “significant compatibility problems.” Thus Google recommends support for TLS_FALLBACK_SCSV.
“This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0,” said Möller. “It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”
A security advisory has already been published, in which the researchers revealed how attackers can “exploit the downgrade dance and break the cryptographic security of SSL 3.0.”
“Our POODLE attack (Padding Oracle On Downgraded Legacy Encryption) will allow them, for example, to steal ‘secure’ HTTP cookies (or other bearer tokens) such as HTTP Authorisation header contents.”
It has been something of a torrid time recently for SSL, but it is worth noting that there has been flaws discovered in the technology in previous years. However, this year has been an especially tough period.
In April chaos was caused by the “Heartbleed” bug after it was discovered in OpenSSL.
Last month a serious vulnerability in Bash, dubbed ‘Shellshock’, was discovered in OS X. That flaw allowed an attacker to run a wide range of malicious code remotely.
Are you a security pro? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…