15 Oct Meet the Internet’s nasty new “Poodle” attack
A vicious new bug on the Internet has an innocuous name but a nasty potential bite. Meet the Poodle attack, which exploits yet another vulnerability in one of the Internet’s basic security protocols that could theoretically give an attacker access to your sensitive online accounts.
Google researchers on Tuesday published details of a weakness in SSL 3.0—an encryption method, technically known as the Secure Socket Layer, that safeguards the connections your browser makes to secure websites at banks, email providers, social networks and the like. SSL, it just so happens, is also the security protocol the Heartbleed bug exploited (although that problem affected a different SSL version.)
SSL 3.0 is ancient in Web terms; it’s more than 18 years old and has been considered obsolete for the past 15 years. The Internet being what it is, and server administrators being who they are, SSL 3.0 is still in use here and there across the Web. And while modern browsers use more advanced security methods, a sophisticated attacker can trick them into downgrading to SSL 3.0. If the server you’re connected to is also using SSL 3.0, that could let the same attacker unravel the encryption and extract sensitive data he or she could use to impersonate you.
Such attacks aren’t easy to pull off, and that makes the latest weakness a cause for concern, though probably not for outright panic. So far, at least.
How Poodle Attacks
Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz outlined the (so far hypothetical attack) in a security advisory published on Tuesday. Poodle—which, in case you were curious, stands for “Padding Oracle On Downgraded Legacy Encryption”—basically takes the Internet’s heterogeneity, usually a source of robustness, and turning it into a weapon.