On October 14th, Google released details on a new concern concerning the SSL protocol, just a short time ago, after the Heartbleed incident brought attention to “SSL” and its possible weaknesses which included allowing the plain text of secure connections to be determined by a network hacker. This latest vulnerability is referred to as “POODLE” (Padding Oracle on Downgraded Legacy Encryption) and believe me; there’s nothing “Poodle like” about it.
POODLE
POODLE
This newly discovered vulnerability affects an old version of the SSL protocol, presenting a new threat to an increased range of web servers due to the fact that they are comprised of legacy support for out of date technology. This latest vulnerability affects the 3.0 versions of SSL that was released in 1996, which over the years has been replaced by numerous newer versions of TLS, its successor protocol. Even with the newer versions, the vulnerability is still a concern because SSL 3.0 is still supported by nearly all web browsers and large numbers of web servers as well. The problem is that the backwards compatibility with older SSL versions has the potential of getting you into real trouble thanks to POODLE.
About SSL
When you enter high profile websites like Google, Twitter and your banking websites, you usually access them using https:// or a feature referred to as SSL which stands for “secure sockets layer”. The bad news is that the POODLE security defect has the potential of breaking that open. SSL as well as TLS, which stands for “Transport Layer Security” features encryption that is supposed to protect your information from being spied on, intercepted or modified by attackers between you and any applicable service provider.
More About SSL
SSL is a common technology that’s function is to prevent people who frequent the same wireless hotspot with you from seeing your transactions while you access your online banking accounts, etc., ensuring that your usernames and passwords don’t get in the hands of the wrong people whose only goals are to hijack your bank accounts and personal information. In other words, SSL is a primary component of privacy, security and trust online. Even with these security measures, numerous sites still fail to comply with the best practices and a large number neglect to put these security features into practice at all, leaving important information open to interception. In fact, even those who try to do the right thing can experience significant setbacks as a result of implementation security vulnerabilities. That is exactly what can happen thanks to the POODLE vulnerability.
Who is Affected by this Vulnerability?
POODLE has the potential of affecting any software that can be forced into communicating via SSLv3; meaning that all software that makes use of a fallback process that incorporates SSLv3 support is susceptible and can be exploited. Just a few of the most common software options that have the potential of being affected by POODLE include web servers, mail servers, VPN servers and web browsers.
How Does It Work ?
Under the right conditions POODLE allows the attacker to gain access to important information that makes it easy for them to take control of your account. For it to work the attacker just needs to be on the same path of communication and/or wireless network and they need to be running Javascript like a web browser. In this case, the attack isn’t quite as serious as the Heartbleed vulnerabilities were but POODLE is still extremely serious when you consider how many people are wireless these days. As a matter of fact, it’s so serious that Twitter has announced that they’ve completely disabled SSLv3.
Can I Protect Myself ?
To project yourself, it’s important that measures are taken to ensure that you’re not vulnerable in your roles as both a user and a server. Considering the fact that encryption is typically negotiated between the two, avoiding the effects of POODLE involves both parties. Steps will need to be taken to completely disable SSLv3 support; it’s important to keep in mind that a lot of applications use more effective encryption by default, however often still employ SSLv3 support as a fallback alternative. SSLv3 should definitely be disabled because if it isn’t a malicious user will have the ability to force SSLv3 communication if both participants permit it as an acceptable support method.
Because of the wide ranging support for SSLv3, even when more powerful encryption is permitted, this new vulnerability is far reaching and dangerous. These problems can be addressed if you take the appropriate measures to protect yourself as both a provider and consumer of any resources that make use of SSL encryption.
Author - Peter Bassill
About SSL
When you enter high profile websites like Google, Twitter and your banking websites, you usually access them using https:// or a feature referred to as SSL which stands for “secure sockets layer”. The bad news is that the POODLE security defect has the potential of breaking that open. SSL as well as TLS, which stands for “Transport Layer Security” features encryption that is supposed to protect your information from being spied on, intercepted or modified by attackers between you and any applicable service provider.
More About SSL
SSL is a common technology that’s function is to prevent people who frequent the same wireless hotspot with you from seeing your transactions while you access your online banking accounts, etc., ensuring that your usernames and passwords don’t get in the hands of the wrong people whose only goals are to hijack your bank accounts and personal information. In other words, SSL is a primary component of privacy, security and trust online. Even with these security measures, numerous sites still fail to comply with the best practices and a large number neglect to put these security features into practice at all, leaving important information open to interception. In fact, even those who try to do the right thing can experience significant setbacks as a result of implementation security vulnerabilities. That is exactly what can happen thanks to the POODLE vulnerability.
Who is Affected by this Vulnerability?
POODLE has the potential of affecting any software that can be forced into communicating via SSLv3; meaning that all software that makes use of a fallback process that incorporates SSLv3 support is susceptible and can be exploited. Just a few of the most common software options that have the potential of being affected by POODLE include web servers, mail servers, VPN servers and web browsers.
How Does It Work ?
Under the right conditions POODLE allows the attacker to gain access to important information that makes it easy for them to take control of your account. For it to work the attacker just needs to be on the same path of communication and/or wireless network and they need to be running Javascript like a web browser. In this case, the attack isn’t quite as serious as the Heartbleed vulnerabilities were but POODLE is still extremely serious when you consider how many people are wireless these days. As a matter of fact, it’s so serious that Twitter has announced that they’ve completely disabled SSLv3.
Can I Protect Myself ?
To project yourself, it’s important that measures are taken to ensure that you’re not vulnerable in your roles as both a user and a server. Considering the fact that encryption is typically negotiated between the two, avoiding the effects of POODLE involves both parties. Steps will need to be taken to completely disable SSLv3 support; it’s important to keep in mind that a lot of applications use more effective encryption by default, however often still employ SSLv3 support as a fallback alternative. SSLv3 should definitely be disabled because if it isn’t a malicious user will have the ability to force SSLv3 communication if both participants permit it as an acceptable support method.
Because of the wide ranging support for SSLv3, even when more powerful encryption is permitted, this new vulnerability is far reaching and dangerous. These problems can be addressed if you take the appropriate measures to protect yourself as both a provider and consumer of any resources that make use of SSL encryption.
Author - Peter Bassill
No comments:
Post a Comment