Number: IRCNE2014102344
Date: 2014/10/19
According to “itpro”, a vulnerability in the SSL 3.0 web encryption standard has been uncovered by Google security researchers that renders the widely-used protocol unsafe to use.
The flaw has been dubbed Poodle by the Google research team,who have published details of how it could be exploited to carry out man-in-the-middle-type attacks online in a security advisory.
“SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it,” Google explained in a supporting blog post.
The advisory document states that, despite being made obsolete by newer protocols - such as TLS 1.0, TLS 1.1 and TLS 1.2 - SSL 3.0 is still widely used and many of these standards are backwards-compatible with it.
As SSL 3.0 is used on websites and within web browsers, the issue has the potential to cause problems for a number of users, and make it easier for hackers to acquire sensitive information.
“In the web setting, this SSL 3.0 weakness can be exploited by a man-in-the-middle attacker to decrypt ‘secure’ HTTP cookies,” the advisory adds.
To avoid this, Google’s researchers recommend that people stop using the SSL 3.0 protocol, although it admits this may not be an appropriate course of action for those that need to run legacy systems.
- 2