Links on Android Authority may earn us a commission. Learn more.
Google researchers reveal Poodle bug, capable of exploiting SSL 3.0 fallback
I have long suspected that poodles are really up to no good, and now I have proof. Today Google researchers published news of a new dreaded poodle (Padding Oracle On Downgraded Legacy Encryption) attack, which can effectively circumvent SSL protections, the same protocol that Heartbleed targeted earlier this year.
The bug isn’t nearly as serious or far-reaching as heartbleed, but still a threat nonetheless. What does this bug do exactly? Basically SSL protects data that’s in transit between a website and a user, and so this bug could make it possible for an attacker to replace data in transit and open the door to all sorts of attacks. The Poodle bug targets SSL 3.0, which is nearly 15 years old, but still has a wide level of support nonetheless.
One way to prevent this problem is to merely disable SSL 3.0 support, but then that can create compatibility problems. Google says its recommended response is for system administrators “to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”
On Google’s part, Chrome and its servers have supported TLS_FALLBACK_SCSV since February and says it can be utilized without compatibility problems. Google says it will also start testing changes for Chrome today that will disable the fallback of SSL 3.0. For more details on the poodle bug (aka poodlebleed), you’ll want to head over to Google’s online security blog.