Science and Tech

Actions

New 'POODLE' Bug Can Compromise Secure Encryptions

The POODLE attack makes use of a vulnerability in the 15-year-old SSL 3.0 to access otherwise secure data during web browsing.
Posted

Just as we were winding down from security issues surrounding the Shellshock bug, another security vulnerability is making the rounds.

This one's called POODLE, an acronym for "padding oracle on downgraded legacy encryption," and has absolutely nothing to do with the dog. 

When you visit a site using a secure connection — sites where you can see the padlock in the address bar — your browser is connecting to a secure server. If it can't connect to the server using the most updated communication method, your browser will retry using older methods like SSL 3.0.

And that's where the vulnerability exists. According to the team of Google employees who discovered it, the 15-year-old SSL 3.0 has a vulnerability that allows an attacker to view information that would otherwise be secure. What's worse, attackers can force your browser to use SSL 3.0 by causing connection issues with updated methods. 

All of this begs the question — short of just never using the Internet again — what can you do to protect yourself from the POODLE? 

A writer for The Next Web recommends disabling support for SSL 3.0 in your browser. The site lists a few tools and add-ons that will do just that.

Google says it will begin testing versions of its Chrome browser that don't allow the browser to fall back to SSL 3.0, effectively ridding users of the vulnerability. (Video via Google)

And Mozilla, the company behind the Firefox web browser, says it plans to turn off SSL 3.0 in an update available on November 25. (Video via Mozilla)

In short, make sure you're updating your browser to the latest and greatest version. Other than that, it's a waiting game — companies will need to update their servers and disable support for SSL 3.0. 

This video includes images from Oliver Clarke / CC BY 2.0 and Pete Markham / CC BY SA 2.0.