Google has discovered a 15 year old flaw in SSL 3.0, a security protocol that turns out isn't quite a s secure as originally thought, that could let remote attackers highjack Web browser sessions and gain access to personal data, like Web-based email. The flaw takes advantage of a browser's ability to fall back from the more secure TLS protocol to SSL where attackers can then gain access to session cookies on victim's computers.
Poodle SSL 3.0 flaw could give attackers access to browser session cookies
TLS and SSL are protocols that let your computer create encrypted connections with servers. SSL was thought for a long time to be very secure, but over the past few months has proven to be vulnerable to attacks that show its encryption isn't all that safe.
Bodo Möller from Google's security team said the vulnerability in SSL 3.0 lets attackers capture plaintext from secure connections, which means there really isn't any security in that connection at all. Mr. Möller said,
SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.
The simple fix for the flaw is for Web servers to disable SSL 3.0 support, although that creates big security compatibility issues for older Web browsers without TLS support. The longer range fix is for Web browser makers to remove SSL support from their products so there isn't a way to fall back to the less secure protocol.
Poodle is only the latest in a string of serious SSL-related security flaws that include Heartbleed, which lets attackers intercept server encryption keys and view what otherwise appear to be secure communications. Another SSL flaw gives attackers the ability to force sending and receiving computers to use weak, and easily crackable, passwords.
Most of the responsibility for addressing Poodle will fall on the shoulders of the IT crowd, but that doesn't mean there isn't anything end users can do. First, make sure you're using a modern Web browser that supports secure TLS connections, and not something like Internet Explorer 6. Second, watch for browser updates that disable SSL support.