Stay calm and Internet.
The POODLE vulnerability is serious, but it is a vulnerability in an outdated protocol that shouldn’t even be in use today, and there are mitigating circumstances that make it more challenging for attackers to use POODLE against you. The bottom line is that you should be aware of POODLE, and you should take steps to protect yourself from the SSLv3 flaw, but there is no need to panic.
I wrote about POODLE, and what you should know about it in this blog post:
Google researchers revealed a major flaw in the SSL encryption protocol—SSLv3 to be precise—which has been affectionately named “POODLE.” The vulnerability is more serious than the silly name might suggest, and the news has garnered a lot of attention because of the potentially broad implications. But security experts assure us the sky is not falling.
What Is POODLE?
POODLE is actually an acronym for “Padding Oracle On Downgraded Legacy Encryption.” SSLv3 is rarely used today, but most Web browsers will negotiate a compatible encryption protocol when connecting to a site or server, and are capable of downgrading to SSLv3 if necessary. The POODLE attack relies in part on forcing the target browser to fall back to the legacy protocol, which has inherent weaknesses that can be exploited to allow the attacker to access the encrypted information.
Greg Foss, senior security research engineer for LogRhythm, points out that POODLE is just the latest vulnerability found in SSLv3. BEAST ruled the headlines a few years ago, and the flaw still exists. The only mitigation is to stop using SSLv3 and move to a more secure protocol, like TLS.
Why Does POODLE Matter?
Foss explains, “POODLE is something else, however the impact is similar to BEAST in that it allows for decryption of part of the message. Fundamentally, this vulnerability is the result of a design-flaw within SSLv3 in that it does not specify the contents of padding bytes, whereas TLS does.”
Garve Hayes, solutions architect for NetIQ, blames Web admins and software vendors for choosing backward compatibility to an archaic protocol over security. “One of the culprits in this case is Internet Explorer 6. Why would anyone still be using this? Furthermore, why would you allow your servers to auto-negotiate down to a protocol supported by IE 6? I guess in this long-tail world, you never want to let even one customer get away.”
Read the full post at PCWorld: POODLE’s bark is bigger than its bite.