The POODLE bug internet vulnerability! Watch this video then check your browser

In case you haven't heard, the boffins at Google have discovered a vulnerability that is pretty serious.

It's not as bad as Heartbleed or the Shellshock Bash bug, but it's not the kind of thing you want a malicious hacker to exploit anywhere near you.

It's called the POODLE vulnerability, or as I like to think of it "the POODLE bug".

Learn more in the following video:

POODLE stands for "Padding Oracle On Downgraded Legacy Encryption", and it's a way of intercepting supposedly secure SSL communications between your computer and a website.

If everything is working properly, SSL should be one of the ways in which your internet communications are secured.

But POODLE provides a way for attackers to trick your computer not to use the latest and greatest encryption for its internet communications, but use SSL 3.0 instead. And SSL 3.0 is about 18 years old, contains bugs, and was long ago superceded by stronger technologies.

The good news is that, unlike Heartbleed or Shellshock, anyone who wants to POODLE you has to get in between your computer and a website that you're visiting. The most likely way they are going to do that is if you are accessing the web using free WiFi in a coffee shop, and don't notice the hacker sitting in the corner of the room - sniffing up your data as it flies through the airwaves.

What they can't do is attack you from the other side of the world.

PoodleFurthermore, it appears that a successful POODLE attack (a POODLE bite?) is most likely to be able to steal your session cookies, rather than everything you are transmitting back and forth over the web. But if a hacker manages to grab those, they could still read your webmail messages, or post tweets in your name, and cause all kinds of other mischief.

As I explain in the video, you can test your browser by visiting sites like the ever-so-cute www.poodletest.com, and test websites with www.poodlescan.com

If possible, set the minimum version of SSL that your web browser will support to TLS version 1.

Scott Helme has helpfully described how to disable SSL 3.0 in all major browsers and server platforms here.

Further reading:

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

5 Responses

  1. Lewis Morgan

    October 16, 2014 at 3:43 pm #

    Useful as always, thanks.

    Also, you forgot the 'f' in furthermore

  2. Coyote

    October 16, 2014 at 10:32 pm #

    Google found it you say? Funny, check this:

    "google.com:443 (173.194.33.104) – Vulnerable"

    As for the issue, indeed SSL has always and will always have problems… and TLS isn't exactly perfect either. Once you expanded the acronym I had a suspicion it was indeed what you went to go on to explain. I'm rather perplexed that this is only being brought up now. To be fair I didn't watch the video (yet) and so maybe it is yet another method of doing this (somehow suspect this indeed the case).

    • Coyote in reply to Coyote.

      October 16, 2014 at 10:49 pm #

      Ah, I see. They are phasing it out. Good. I didn't know they were using it, though (is a long time that SSLv3 is recommended). And as for the exploit, reading the PDF at openssl, it somehow reminds me of ssh in that it has a fall-back IF the server supports it (and only a very naive administrator would allow ssh v1). Interesting to think about it in those terms, however: with websites having a need to encrypt data – e.g., credit card/similar – they also need to make sure it works for all their customers. Yet this is a problem itself for this exploit as well as others. So how to address it? Do you miss out on some customers or do you risk? And even more than that, different departments in the corporation are going to have different views, experience and in the end one decides and it might not be the best choice.

      Once again, it only proves more so that there are so many variables and one person's experience someone else. The trick is merging all experience together and that is unfortunately never going to happen as there's always something new (whether that is a new exploit, a new view, a new… anything, isn't really relevant). That's not even taking in to account who has the final say in a decision.

      • Coyote in reply to Coyote.

        October 16, 2014 at 10:53 pm #

        (one person's experience is not the same as someone else and their experience. and this is both positive and negative. hopefully my mutilated sentence, above, is – if you excuse it – patched up now).

  3. John UK

    November 28, 2014 at 7:36 pm #

    My Sony KDL- 42W653A Smart TV just recently received a security update that Enables TLS1.0 so it's good to see that things seem to be moving in the right direction at least .

Leave a Reply