It seems like each week brings news of either hackers breaking into big box store databases or security researchers discovering software bugs in aging software and this week is no exception.
Following the discovery of April’s ‘Heartbleed’ bug in OpenSSL and last month’s ‘Shellshock’ bug in a piece of Unix software known as Bash last week a security bug was found in the widely-used software used to secure your internet connection. Discovered by three Google researches and dubbed as ‘Poodle’, this new vulnerability could allow hackers to gain access to information that is meant to be encrypted allowing them to takeover your email and banking accounts along with other online services.
So the discovery of ‘Poodle’ – which stands for ‘Padding Oracle On Downloaded Legacy Encryption’ – is now the third time this year that researchers have uncovered a vulnerability in commonly used web technology.
This recent Poodle vulnerability is found in an 18-years old encryption protocol known as SSL 3.0 which stands for ‘Secure Sockets Layer 3’, and it is this technology which is used to encrypt the information travelling between a web browser and a website or your email program and an email server. So, like mentioned earlier, this bug allows encrypted information to be accessed by an attacker if they are on the same network as you.
How this works is a hacker connected to the same public Wi-Fi network you are connected to, say like your local coffee shop, can intercept and capture all the bits and bytes flowing on that network and since some usernames and passwords are stored by a web browser in a form of a browser cookie (or a plane text file) it is possible with this vulnerability that a hacker could steal and read your browser ‘cookies’, giving them potential access to person’s email, bank, or social networking account credentials.
Compared to Heartbleed or Shellshock vulnerabilities that merited a 10 on a scale from 1-10, I would put this type of bug only around a 5. Reason being is that Poodle is exploited through a person-in-the-middle style attack – where an attacker intercepts the information between the user and the website they are browsing – so those who are most vulnerable are mainly people using public Wi-Fi connections. A hacker needs to be able to tap into the data between you and the website you are browsing, which is often difficult to do. So this means you are probably safe from this type of hack at home provided you have a strong Wi-Fi key.
Therefore, if at all possible you might want to stay away from using public Wi-Fi hot spots; at least until this vulnerability is patched. One workaround could be, if you have a cell phone with it’s own data connection you could avoid public Wi-Fi altogether by tethering your computer or device to your phone and therefore using the data and internet connection from your phone.
But, if you can’t avoid public Wi-Fi, then you will want to make sure you try to avoid doing any online banking or logging into any sensitive web sites. If that proves to be difficult, you will want to make sure you have all available updates for your web browser.
At this point though, it looks like the only way to avoid using the SSL3 protocol is to manually disable it on your web browser – something that is a little tricky and different for each browser out there. Though I would suspect that future updates of all browsers will disable this protocol by default; much like Firefox has suggested for it’s November update. In the meantime, if you go to www.poodletest.com you can determine if your browser is vulnerable along with keeping up with any updates on this security bug.
