Last updated: April 13, 2016
SSLv3 protocol vulnerability POODLE
A vulnerability in the SSLv3 communication protocol (SSL 3.0) has been disclosed, that allows a man-in-the-middle attack on HTTPS connections. The SSLv3 protocol vulnerability is known as POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, and was developed and disclosed by researchers at Google. According to an article appearing on Kaspersky Labs’ ThreatPost website:
The attack is known as POODLE and was developed by several researchers at Google, including Thai Duong, who was part of the duo who developed the BEAST and CRIME attacks several years ago. The technique takes advantage of the fact that when a secure connection attempt fails, servers will fall back to older protocols, such as SSLv3, in an attempt to communicate securely with the remote client. An attacker who can trigger a connection failure can then force the use of SSLv3 and attempt the new attack.
The SSLv3 protocol is 15 years old, and has since been replaced with a new protocol called TLS 1.0. However, the vulnerability is important because it is likely enabled in your web browser as a failover in case an older secure website does not support the new protocol. As a result, it is advisable to disable SSLv3 in your web browser(s) to reduce exposure to the vulnerability. A blog post from Google on this vulnerability states:
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today.
It is important to note that disabling SSLv3 in your web browser to mitigate the SSLv3 protocol vulnerability may cause compatibility issues with websites that require it. This is largely why the protocol continues to remain included and enabled with web browser technology today. Instructions for checking SSLv3 support in your web browser, and for disabling SSLv3 support, is available by visiting the links listed below: