Researchers at Google have discovered a security vulnerability in a “basic protocol for encrypting web traffic,” reported Wired. The security vulnerability, called POODLE, affects the third version of the Secure Sockets Layer protocol (SSL 3.0) and is over 15 years old, “but it is still used by modern web browsers and servers,” according to PC World. Typically web browsers use the newer versions of SSL, but PC World goes on to say that “browsers will accommodate SSL 3.0 if that’s all that a server can do on the other end.”
The researchers who discovered the vulnerability, Bodo Möller, Thai Duong, and Krzysztof Kotowicz, outlined recommendations for dealing with the issue in their research paper: “The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it. If either side supports only SSL 3.0, then all hope is gone, and a serious update required to avoid insecure encryption. If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability.” Although the researchers have recommendations, they do not have a concrete solution. Many applications, devices and servers have adopted TLS 1.0 or 2.0, but a majority of them continue to support SSL 3.0 for backward compatibility.
While previous bugs like Heartbleed and Shellshock targeted servers, this vulnerability targets clients, reported Wired. EiQ Networks has quickly devised a solution for POODLE. Click here to download a free guide on using SecureVue to detect the POODLE vulnerability.
At EiQ Networks, we emphasize the importance of having a cyber-security system in place to prevent hackers from exploiting vulnerabilities and accessing company documents. EiQ’s SecureVue platform can provide detailed reports identifying many issues, including the POODLE vulnerability.