This article was published on October 15, 2014

A Web encryption vulnerability opens ‘encrypted’ data to hackers

A Web encryption vulnerability opens ‘encrypted’ data to hackers
Roberto Baldwin
Story by

Roberto Baldwin

Roberto Baldwin was a reporter for The Next Web in San Francisco between April 2014 and March 2015. Roberto Baldwin was a reporter for The Next Web in San Francisco between April 2014 and March 2015.

Turns out that the Secure Sockets Layer (SSL) encryption we’ve relied on for secure communication on the Internet has a vulnerability.

Today Google researchers announced (PDF link) that they have found a bug in the SSL 3.0 protocol. The exploit could be used to intercept critical data that’s supposed to be encrypted between clients and servers.

The exploit first allows attackers to initiate a “downgrade dance” that tells the client that the server doesn’t support the more secure TLS (Transport Layer Security) protocol and forces it to connect via SSL 3.0. From there a man-in-the-middle attack can decrypt secure HTTP cookies. Google calls this the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

In other words, your data is no longer encrypted. Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz recommend disabling SSL 3.0 on servers and in clients. The server and client will default to the more secure TSL and the exploit won’t be possible.

For end users, if your browser supports it, disable SSL 3.0 support or better yet use tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value), it prevents downgrade attacks. Google says that it will begin testing Chrome changes that disable using SSL 3.0 fallback and it will remove SSL 3.0 support completely from all its products in the coming months. In fact, there’s already a Chromium patch available that disables SSL 3.0 fallback.

In response to today’s news, Mozilla plans to turn off SSL 3.0 in Firefox. “SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25,” said Mozilla in a post. The code to disable the protocol will be available tonight via Nightly.

Anyone interested in disabling SSL 3.0 right now can do so with the SSL Version Control add on for Firefox.

Introduced in 1996, SSL protocol is supposed to allow for communication without fear of eavesdropping because the information being shared is encrypted. When a client (browser, apps etc,) pings a server they engage in a security handshake that creates keys to encrypt and decrypt information sent back and forth.

Today’s announcement lands on the heels of Snapchat and Dropbox security news that involved third-party apps leaking customer information.

➤ This POODLE bites: exploiting the SSL 3.0 fallback [Google]

Image credit: Shutterstock

Get the TNW newsletter

Get the most important tech news in your inbox each week.