Secure Sockets Layer (SSL) traffic encryption we’ve trusted for safe communication on the net contains a vulnerability. Today Google researchers released that they’ve discovered a bug within the SSL 3.0 protocol, a PDF summarizing the exploit can be found here. The exploit can be employed to intercept vital data that’s meant to be encrypted between clients and web servers.
The exploit first enables attackers to trigger a “downgrade dance” that informs the client that the server doesn’t support the safer TLS (Transport Layer Security) protocol and forces it to connect by means of SSL 3.0.
After that a man-in-the-middle attack can decrypt secure HTTP cookies. Google refers to this as the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.
Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz advise disabling SSL 3.0 on servers and in clients. The server and client will default to the more secure TSL and the exploit won’t happen.
For end users, if your browser supports it, disable SSL 3.0 support or better yet use tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value), it prevents downgrade attacks. Google says that it will begin testing Chrome changes that disable using SSL 3.0 fallback and it will remove SSL 3.0 support completely from all its products in the coming months. In fact, there’s already a Chromium patch available that disables SSL 3.0 fallback.
You can disable SSL 3.0 right now can do so with the SSL Version Control add on for Firefox.
