Google exposes 'Poodle' flaw in Web encryption standard
Three Google security engineers uncover a major vulnerability in the older -- but still supported -- Web encryption standard SSL 3.0. Experts say fixing it is impossible and upgrading will be difficult.
Seth RosenblattFormer Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Older Web technology continues to be dogged by revelations that show how insecure it is. A trio of Google security engineers proved that the encryption standard Secure Sockets Layer can be circumvented thanks to a new vulnerability they dubbed "Poodle."
The vulnerability allows encrypted, ostensibly-secret information to be exposed by an attacker with network access. Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption (PDF), is a problem because it's used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0, and Poodle will remain a problem as long as SSL 3.0 is supported.
While SSL 3.0 is no longer the most advanced form of Web encryption in use, Möller explained browsers and secure HTTP servers still need it in case they encounter errors in Transport Layer Security (TLS), SSL's more modern, less vulnerable younger sibling.
The good news is that not much of the Web relies on SSL 3.0 anymore. A study by the University of Michigan shows that few sites rely on SSL 3.0 for anything. Less than 0.3 percent of communication between site and server depends on SSL 3.0, while 0.42 percent of the top 1 million domains on Alexa use it in even partially.
The reason that Poodle is a problem is that attackers can force your browser to downgrade to SSL 3.0.
If either browser or server runs into problems connecting with TLS, sites and browsers will often fall back to SSL. The problem is that attackers can force a connection failure which would force a site to use SSL 3.0, which would then expose it to hackers.
Because disabling SSL 3.0 outright causes compatibility problems for sites and servers, Möller recommended that administrators for both add support for TLS_Fallback_SCSV, a TLS protocol that blocks attackers from conning browsers into downgrading to not only SSL 3.0, but TLS 1.0 and 1.1 as well. It "may help prevent future attacks," he wrote.
Möller said that Google Chrome and Google servers have supported this solution "since February," which he said proves that it can be used without compatibility problems.
Robert Hansen, a browser specialist at the security firm White Hat Security, compared Poodle to another widespread vulnerability -- Firesheep. Firesheep was a browser add-on that can grab unencrypted communications over the Web. While Firesheep could be defeated by using encryption, Poodle is a problem because the flaw lies with the encryption itself.
"[Poodle] is pretty bad," Hansen told CNET, "But you have to keep in mind that it only affects a Man-In-The-Middle situation," an attack where the hacker surreptitiously intercepts network traffic.
Legacy browsers are especially at risk, most notably Internet Explorer 6, which only supports SSL 3.0 and none of the encryption protocol that followed.
Hansen noted that there haven't been any publicly-known attacks using Poodle yet, but he said it's only a matter of time until there's a tool to help hackers exploit Poodle.
"Once somebody creates a tool like Firesheep, then this gets more serious," he said. "We possibly could see one by the end of the week."
Research analyst Andrew Conway, who works for the Web and messaging security analysis firm CloudMark, highlighted the fact that an attack using Poodle would be "very difficult to implement."
That, he said, makes it a bad exploit for your run-of-the-mill cybercriminal, but a potentially attractive one to "national security services" which could use it to spy on "high value targets."
"The NSA, GCHQ and Russian and Chinese intelligence all have access to Internet traffic in and out of their countries, as well as the skills and resources to implement this attack," Conway said. "I could imagine that it might be used against military and intelligence targets that use encrypted communications as a matter of course."
Although Hansen didn't specifically mention government surveillance, he did add that public Wi-Fi networks and Tor exit nodes could be likely spots to see Poodle exploits -- which would fit with Conway's analysis.
What should I do?
If you're concerned about having your Internet traffic spied through SSL 3.0, Hansen recommends that you avoid using any public Wi-Fi or even any connection you don't trust.
Errata Security's Robert Graham supported that conclusion. People who use public Wi-Fi and other unencrypted Wi-Fi networks like those at your local Starbucks put you "in grave danger from this hack," he said. A successful attack wouldn't give the hacker your actual password, he explained, but it would give them your session cookies, which could be used to log in to your accounts as you.
Google security engineering expert Adam Langley explained that for Chrome users who want to disable SSL 3.0 outright at the moment, Google advises that you add this command line flag to the browser: --ssl-version-min=tls1.
Mozilla security engineer Richard Barnes advises Firefox users to install a Mozilla security add-on that disables SSL 3.0. If you don't want to use an add-on, you can go to about:config and set security.tls.version.min to 1. Firefox 34 will include this fix by default when it becomes available in six weeks or so, but the add-on is available now.
In Internet Explorer 7 and newer, you can got to Internet Options, click the Advanced tab, uncheck SSLv3, and click the OK button.
Apple declined to comment. Microsoft didn't respond to a request for comment.
Twitter notified its users that it has disabled SSL 3.0 support, which it said may break Twitter on some browsers.
Google security engineering expert Adam Langley explained that the Poodle problem relies on a common exploit design in SSL and TLS. "SSL got encryption and authentication the wrong way around," he said, "it authenticates before encrypting."
Chances are, Poodle is the kind of encryption doggerel we won't see the last of.