Quantcast
Channel: ISOC » Advisory
Viewing all articles
Browse latest Browse all 10

POODLE the latest SSL vulnerability

0
0

Date: 10/17/14

Source: PCWorld, TechTarget

Description:

In an article written by Tony Bradley, he states…

What Is POODLE?

POODLE is actually an acronym for “Padding Oracle On Downgraded Legacy Encryption.” SSLv3 is rarely used today, but most Web browsers will negotiate a compatible encryption protocol when connecting to a site or server, and are capable of downgrading to SSLv3 if necessary. The POODLE attack relies in part on forcing the target browser to fall back to the legacy protocol, which has inherent weaknesses that can be exploited to allow the attacker to access the encrypted information.

Greg Foss, senior security research engineer for LogRhythm, points out that POODLE is just the latest vulnerability found in SSLv3. BEAST ruled the headlines a few years ago, and the flaw still exists. The only mitigation is to stop using SSLv3 and move to a more secure protocol, like TLS.

Why Does POODLE Matter?

Foss explains, “POODLE is something else, however the impact is similar to BEAST in that it allows for decryption of part of the message. Fundamentally, this vulnerability is the result of a design-flaw within SSLv3 in that it does not specify the contents of padding bytes, whereas TLS does.”

Impacted Users: Mr Bradley goes on to share that the Bark is bigger than the bite, in this case. He shares that most people are probably vulnerable but being vulnerable in and of itself, however, is not enough. The attacker must also be on the same network as the vulnerable system in order to intercept and decrypt your SSLv3 traffic, so the actual threat in the real world is not as huge as some reports in the media make it seem.

 

Mitigation Procedure:

Mr Bradley shares that according to Morey Haber, senior director of program management for BeyondTrust, the solution is relatively simple: Patch and update. “Upgrade your OS and browsers to the latest versions and continue to patch on a regular basis. Avoid end-of-life operating systems like Windows XP. For companies that are still using SSL3.0 on their websites, they need to think of their customers first and upgrade as well.”

The major browsers are responding to the threat with updates that will disable SSLv3 and / or prevent the browser from downgrading to the vulnerable protocol. Greg Keizer of sister site Computerworld reported that Mozilla will disable SSLv3 effective with Firefox 34—scheduled for release on November 25. Google and Microsoft have both announced intentions to make similar changes, but they’ve not committed to a specific timeline. It seems safe to assume, though, that both Google and Microsoft will react as quickly as possible to protect customers.

In the meantime, you can manually disable SSLv3 compatibility in your browser. For example, in the Internet Options of Internet Explorer on the Advanced tab under Security, you can simply uncheck SSL 3.0 as an option. It is also possible to do in Firefox and Chrome, although the process may not be as simple.

 

Brandon Blevins, an author of an article on POODLE from TechTarget states OpenSSL has issued a patch that accomplishes the recommendations of the Google Researchers who discovered the vulnerability.

 

 

To keep up to date on the latest security news, please visit the University Information Security site at www.massachusetts.edu/informationsecurity.


Viewing all articles
Browse latest Browse all 10

Latest Images

Trending Articles





Latest Images