Latest in Bug

Image credit:

Google discovers another web security flaw that leaves browsers vulnerable


Get ready for Heartbleed deja-vu: Google just found an exploit in SSL 3.0 that could give attackers the ability to work out the plaintext traffic of a secure connection. It's calling the attack "POODLE," or Padding Oracle On Downgraded Legacy Encryption, and it allows a man-in-the-middle attacker to decrypt HTTP cookies. Cookies can be used to store personal information, website preferences or even passwords, depending on the situation. SSL 3.0 is a pretty old (15 years) protocol, but it's still used in most web browsers and as a fallback for countless servers in case modern protocols fail to connect. Prospective attackers can force a server to default back to SSL 3.0 for the sake of the exploit.

The easiest way to solve the problem is for servers to simply stop supporting SSL 3.0, since it's largely been replaced by TLS and other successors -- but since SSL is still widely used, Google says that could cause significant compatibility issues. For now, the company says the best solution is for browsers and severs to support TLS_FALLBACK-SCSV, a mechanism designed to stop attackers from forcing security handshakes to default to older standards. Google Chrome and the company's own servers have been using it since February, and the company is testing further Chrome changes that disable falling back to 3.0 altogether.

On the positive side, Google seems to have discovered the vulnerability on its own, and it's not clear how wide-spread it is. Still, Google's solution is only a temporary defense: SSL 3.0 can't be fixed. "There is no reasonable workaround," the company wrote in its security advisory. "To achieve secure encryption, SSL 3.0 must be avoided entirely." Check out the company's full technical explanation of the bug at the source link below.

From around the web