Image for post about The POODLE Vulnerability Meets The Watchdogs Of WSD
The POODLE Vulnerability Meets The Watchdogs Of WSD

The POODLE Vulnerability Meets The Watchdogs Of WSD

November 4, 2014

POODLE with cone of shame

The Internet got hit by its 3rd major security flaw of the year recently with the POODLE vulnerability. The vulnerability exploits an 18-year-old encryption technology called SSL (Secure Sockets Layer) 3.0, and comes on the heels of the Bash Bug in September and the Heartbleed vulnerability back in April. POODLE, which stands for "Padding Oracle On Downloaded Legacy Encryption", was discovered by three Google engineers, Bodo Moeller, Thai Duong, and Krzysztof Kotowicz. The main risk with this security flaw is that someone on the same local network as you can potentially eavesdrop on your web browsing sessions, taking over anything from email to social media and online banking. This is particularly problematic if you're connected to a public Wi-Fi network, such as at a local coffee shop. At first glance, the POODLE security flaw might not seem like that big of a deal due to the fact that SSL 3.0 has largely been replaced by a newer encryption protocol, TLS (Transport Layer Security). However many older systems still use SSL 3.0, and complicating the issue is that even systems configured to use TLS can be forced by hackers to downgrade to an SSL connection, leaving the system vulnerable to attack. According to a blog post by Bodo Moeller:

"SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue."

The only foolproof way of avoiding the POODLE vulnerability at this point in time is to disable SSL 3.0 altogether. The WebSight Design server team did just that for all of our web servers soon after the security flaw was announced. It's just another example of WSD staying on top of the latest threats in internet security, so you don't have to.

Tweet ThisEmail to a Friend