POODLE Attack on SSL/TLS Forces Use of Vulnerable SSLv3 Protocol

POODLE Attack on SSL/TLS Forces Use of Vulnerable SSLv3 Protocol

From the Google researchers (including Thai Duong) that brought you BEAST and CRIME attacks on SSL/TLS, comes POODLE.
This latest attack exploits the fallback behavior of clients/servers that retry connection attempts using older protocols. If the attacker controls the network between client and server and can execute Javascript within the victim’s browser, they should be able to force this downgrade and begin the extraction of a supposedly secure cookie. This could allow the attacker to hijack a secure session.
Browser vendors and security-conscious users are scrambling to disable SSL 3.0 support or CBC-mode ciphers with SSL 3.0 in their browsers. This prevents the downgrade of protocols to SSL 3.0 as well as from TLS 1.2 to 1.1 and/or 1.0 which may help to prevent similar attacks in the future against currently safe protocols.
SSL 3.0 itself is already 15 years old and long overdue for retirement, but unfortunately, appears to still be in use for large portions of the Internet. However, this latest attack should signal the end for it. Both Google and Mozilla have announced plans to end support for the protocol in future browsers and servers will likely begin dropping support for the protocol, albeit slowly.
For users of legacy browsers including Internet Explorer 6 which does not support anything above SSLv3 by default, the coming changes could disable support for secure connectivity altogether. Mozilla’s Richard Barnes indicated that SSLv3 represented 0.3% of transactions carried out through Firefox, but that still results in millions of transactions daily. Though it will be painful for some sys admins and users, nobody should be using a browser that was released in 2001.