Researchers from Google have warned about a new Internet security vulnerability last Tuesday. They named the new attack POODLE or Padding Oracle on Downloaded Legacy Encryption. In a blog post, Google said that the threat is widespread because it allows hackers to steal private information.
The risk comes from SSL 3.0, which is the Secure Sockets Layer. It is an online layer that protects data from one point to another, which are usually your web browser and the web server where you are connected.
Matthew Green, a research professor and cryptographer from John Hopkins University, said that POODLE lets hackers take control of the connection between the web server and the browser. They do this by running a code in the browser that allows the hacker to decrypt cookies for websites that include Yahoo, Google and online bank account.
Google said that the security software is around 15 years old and most modern web browsers still support it. There are some cases wherein SSL 3.0 is used as a backup. Browsers will reattempt failed connections with older protocol versions that include SSL 3.0. A network attacker can create connection failures and trigger the usage of SSL 3.0. Then they will exploit it.
To prevent the issue, researchers suggest preventing browsers to use SSL 3.0 after failed attempts. This will prevent browsers from resorting to older versions of the security software. Google said that it will disable support for SSL 3.0 from its products in the next couple of months.
The more obvious solution is to not use SSL 3.0 at all. The problem is that most servers and browsers can’t function without it. It is one of the growing pains of the old internet infrastructure. Hopefully because of the exploit, they will now abandon old protocols, such as SSL 3.0.