Google Researchers Discovered POODLE Attack

google poodle

Google security researchers have found a severe flaw in a web encryption technology SSL 3.0, that could allow hackers to steal all the sensitive and personal information.

This flaw present in SSL 3.0 technology, that means the flaw is 18-year old. SSL is a technology which encrypts data between a client and server and secures most data sent over the Internet.

POODLE Attack ?

POODLE stands for Padding Oracle On Downloaded Legacy Encryption. Poodle attack is developed by Bodo Möller, Thai Duong and Krzysztof Kotowicz of Google.

POODLE attack forces the connection to fall back to SSL 3.0. Then attacker can steal browser cookies of victim and take control of victim's accounts. In order to implement this attack, an attacker requires privileged access to user's network. So this attack  might be possible in public area,such as WiFi network in a hotel or an airport.

Ivan Ristic, director of application security research with Qualys, said " POODLE was not as serious as the previous threats because the attack was "quite complicated."

Adam Langley, who works on Google’s Chrome browser says that this attack is not possible in Google chrome, because the connections made using Chrome to Google’s infrastructure are using a mechanism called "TLS_FALLBACK_SCSV", which prevents downgrading.

Mozilla said on it's blog "SSL version 3.0 is no longer secure.Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible."

Update: Twitter has disabled support for SSL 3.0,  meaning the site will no longer work properly in older browsers, such as Internet Explorer 6.

No comments

Powered by Blogger.