Researchers from Google found a vulnerability
in SSL v3.0 this week, which allows for a man-in-the-middle attack (MITM). This
type of MITM attack is called a POODLE (Padding Oracle On Downgraded Legacy
Encryption), and allows the cybercriminal to access and steal information by
changing how the SSL client and the server communicate with each other.
It is always a big deal when security
protocols (especially encryption-based ones) are found to be vulnerable, and
although SSL 3.0 is almost 18 years old, many still use it on their browsers,
VPNs and e-mail clients.
Although the exploitation takes some work to
execute (the attack can gain about one byte of clear text for every 256
requests), it could result in your confidential data being exposed, so it is
best to deal with this as soon as possible.
The best approach for businesses is to get their
IT department to disable SSL v3.0 on all clients and servers company-wide.
Start with your most business-critical and/or financially-centered IT resources
such as PCI websites, point-of-sale systems, and VPNs. Also remember your STARTTLS-compliant services
like IMAP, POP3 and SMTP.
Keep in mind that disabling this protocol on
clients and servers will impact the business, its systems and employees, so it
may need to be staged over time to ensure the least amount of downtime. If you
have external customers, make sure they understand the implications as well.
Pulling up a log summary of the encryption
ciphers used by your clients and the browsers they are using will help you
understand how many people will be affected by disabling SSL v3.0. It might
also give you insight as to whether this attack is happening over time.
Google recommends using TLS_FALLBACK_SCSV as a solution. You can also check out more information at http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html .
It is quite a challenge for consumers unfortunately
to protect themselves against a POODLE attack. It is possible to turn off SSL
3.0 off in Firefox and Chrome, but this has to be set up manually. This makes
it even more important for service providers and IT vendors to take the lead on
this and help protect their customers. Customers should also be able to feel secure
in that their selected vendors and service providers have taken adequate steps
to protect themselves from this attack.
The result is another major vulnerability for
SSL. Do you think this could signify the beginning of the end for SSL?