Google researchers discover unfixable ‘POODLE’ web traffic encryption flaw

Google researchers discover unfixable ‘POODLE’ web traffic encryption flaw

Security researchers at Google released a report today detailing an exploit found in a legacy web encryption standard. Called Padding Oracle on Downgraded Legacy Encryption, or POODLE for short, the flaw allows hackers to snoop on your web traffic and steal your cookies.

No, not the delicious baked good but web cookies. These cookies allow you to remained logged into a website until the cookie is revoked or expired. The POODLE exploit allows someone to steal your web cookies, allowing them to impersonate you online. This is particularly worrying because the hacker won’t need your username or password.

It’s not all bad news though. The particular version of web encryption affected by the POODLE bug has largely been phased out by most sites and browsers. However, some websites who want to support older browsers are vulnerable to POODLE.

The affected web encryption protocol is called SSL 3.0, which has largely been abandoned in favor of TLS (Transport Layer Security). TLS is not affected by POODLE because of its more robust decryption validation. However, when websites can’t use TLS, many will default to using SSL 3.0.

How will POODLE be used in the real world?

Imagine you’re at Starbucks. You want to send out a few emails on your laptop so you hop onto Starbucks’ open Wi-Fi hotspot.

A hacker sitting in a corner has his laptop open. Little did you know, that Wi-Fi connection you just connected to is not controlled by Starbucks but the hacker disguising as the coffee shop hotspot.

As you’re browsing the web, the hacker is stealing your web cookies slowly. Once your cookies have been stolen, the hacker can do a number of things like scanning your emails for passwords and banking information.

What should I do to protect myself?

Don’t connect to public Wi-Fi hotspots or any connection you’re unsure of. There’s a chance a hacker could be running a malicious hotspot disguised as a legitimate one.

Also make sure your software is up to date, especially your web browser. Check Windows Update or the Mac App Store for updates to your system and included browsers like Internet Explorer and Safari.

Google Chrome users can disable SSL 3.0 by using a command line flag. The process is a little different depending on if you’re using Mac, Linux or Windows so follow this guide.

The next version of Firefox, version 34, will have SSL 3.0 disabled by default. In the meantime, you can disable SSL 3.0 with this add-on created by Mozilla. If you don’t want to install the add-on, you can manually disable SSL 3.0 by typing about:config and setting security.tls.version.min to “1”.

Internet Explorer users can go to Internet Options and click on the Advanced tab. Uncheck “SSLv3” and then “OK”.

Note that some sites may not work without SSL 3.0 so your mileage will vary. Still it’s better to be safe than sorry.

For now, there’s not much else you can do but wait for websites to disable SSL 3.0 on their servers.

Source: OpenSSL [PDF]

Image credit: Greg Westfall [Flickr]

Related Stories

Dropbox not hacked but change your passwords anyway

Should I be afraid of the Shellshock bug?

Hundreds of thousands Snapchat images leaked but you’re probably safe

Microsoft collects your data in Windows 10 preview, but it’s not a ‘keylogger’

Follow me on Twitter: @lewisleong

View all comments
Loading comments