Jason Steuernagel, Principle of Momentum Technology Group wrote about a recent vulnerability discovered related to exploiting encryption – called “Poodle” (Padding Oracle on Downgraded Legacy Encryption).
What is Affected?
This vulnerability affects SSL 3.0. SSL 3.0 is used by web servers and web browsers for secure (encrypted) communication. SSL 3.0 is an old standard that has been replaced with newer standards (TLS). SSL 3.0 is still in use as a fallback method for compatibility for older systems (like XP).
How Is It Exploited?
This vulnerability is a “man in the middle” attack, which means it is exploited by an attacker getting in between a person’s computer and whatever target/site they are accessing. By gathering the data of someone’s session the vulnerability can be exploited. The most common way someone might take advantage of this is by being on the same network – Ex. Public wifi/hotspot.
Due to this being a “man in the middle” attack, the probability of it being exploited is low, but there is still the possibility in certain circumstances.
What’s Being Done?
Major websites like Twitter are in the process of turning off SSL 3.0 as a fallback option. As I mentioned it has been left on up until now as a convenience and as a compatibility measure for those running older PCs and browsers. For example, SSL 3.0 is the only option if you are running XP and Internet Explorer 6.0. Anyone running older systems like this will soon not be able to access certain sites that have turned off SSL 3.0 support.
What Should You Do?
To be safe, it is advised to disable SSL 3.0 as an option in your web browser (IE, Chrome, Firefox). We will be following up on ways we can push out the change to PC’s automatically for Internet Explorer and assisting in getting it turned off on all servers.
Click here for instructions for turning off SSL 3.0 for IE, Chrome and Firefox:
More Info/News Article/Advisories
- Here is a good article explaining the vulnerability.
- Here is Microsoft’s official advisory on the vulnerability.