October 15, 2014 In Digital Safety and Threat Alerts
POODLE Attack on SSL/TLS Forces Use of Vulnerable SSLv3 Protocol
From the Google researchers (including Thai Duong) that brought you BEAST and CRIME attacks on SSL/TLS, comes POODLE.
Browser vendors and security-conscious users are scrambling to disable SSL 3.0 support or CBC-mode ciphers with SSL 3.0 in their browsers. This prevents the downgrade of protocols to SSL 3.0 as well as from TLS 1.2 to 1.1 and/or 1.0 which may help to prevent similar attacks in the future against currently safe protocols.
SSL 3.0 itself is already 15 years old and long overdue for retirement, but unfortunately, appears to still be in use for large portions of the Internet. However, this latest attack should signal the end for it. Both Google and Mozilla have announced plans to end support for the protocol in future browsers and servers will likely begin dropping support for the protocol, albeit slowly.
For users of legacy browsers including Internet Explorer 6 which does not support anything above SSLv3 by default, the coming changes could disable support for secure connectivity altogether. Mozilla’s Richard Barnes indicated that SSLv3 represented 0.3% of transactions carried out through Firefox, but that still results in millions of transactions daily. Though it will be painful for some sys admins and users, nobody should be using a browser that was released in 2001.