SSL Certificates

Leak in older security protocol SSLv3 discovered

In the night of Tuesday to Wednesday, October 15th, researchers for Google have announced the discovery of a security breach in an old version of the security protocol SSL, allowing the covert interception of login data. The attack that makes use of the breach has been named POODLE (Padding Oracle On Downgraded Legacy Encryption).

The breach concerns SSL 3.0, an eightteen-year-old version of the protocol used to secure connections. Despite the publication of several successors, SSL 3.0 is still being used by many websites and supported by many browsers.

Cookies

The security breach makes it possible for an attacker to intercept and read encrypted data, such as certain cookies. This would allow the attacker to gain access to certain cookies that control login data for, for instance, social media or email accounts.

The connection set up by the user still looks like a secure connection: it still has an URL beginning with https:// or the green lock in the URL-bar. Therefore, it will not be apparent to the user that their connection is being tapped.

Abuse

It is still possible to abuse the vulnerability. Hackers do require access to the user's network, or have to set up a malicious wifi-hotspot to lure in unsuspecting users.

Once they are in, the hacker can force the use of the outdated SSL 3.0 protocol by making the connection fail. Browsers will often attempt to retry a failed connection with an older version of SSL.

With the old protocol put into use, the hacker can now easily steal and read cookies, small packages of often sensitive data, from a secured connection.

Solution

Google has implemented a method in its browser, Chrome, called TLS_FALLBACK_SCSV. This should stop the downgrade to older SSL protocols, says the company in a blog post.

The search engine giant informed other browsers of the breach before publication. As a result, Mozilla has already informed the public that SSL 3.0 will no longer be supported as of Firefox 34. The latest version of the browser will come out on November 25th.

POODLE is not as serious a security breach as Heartbleed, which was discovered in April and allowed fairly easy access to all encrypted data on a connection. And in September, the security breach Shellshock was found, with which hackers could take control of a pc running on OS X or Linux.

Wednesday 15 October 2014
Follow Networking4all on Twitter
Twitter Hyves Facebook Google Buzz MySpace LinkedIn Bookmark and Share

SSL Certificates

Tools

Resellers

Networking4all

PO Box 15320
1001 MH Amsterdam
The Netherlands

T: +31 (0)20-7881030
F: +31 (0)20-7881040
E: info@networking4all.com


rss twitter facebook linkedin