It seems that SSL just cannot stay out of the news. Another vulnerability, this time in SSL 3.0, has been disclosed at the Google Online Security Blog. While SSL 3.0 has already been around for almost 15 years, it’s still being used throughout the Web, and nearly every browser supports it.
The key point though, is that even though newer and more secure versions of SSL are out and are being used, browsers work with older protocols when connections fail. This means an attacker can cause connection problems with the intent of triggering a deprecated version of SSL, leading to the exploitation of the service, and allowing for once-encrypted information to be seen in plain-text.
The newly disclosed vulnerability in SSL 3.0 does exactly this. Dubbed POODLE as an acronym for Padding Oracle On Downgraded Legacy Encryption, researchers have shown that because of the widespread support for this, an attacker can assume it will be easy to find a situation where an SSLv3 connection can be forced and put to use for capturing data.
Who does this affect?
Before the disclosure, nearly all browsers and sites were backwards compatible with the older encryption version of SSL. Servers all over the Internet are still allowing SSL 3.0, so it is definitely an active threat to users thinking that they are sending sensitive information privately to a receiving website. While Mozilla only accounts for .3% of all its users’ HTTPS traffic to be over the vulnerable version, that is still millions of sensitive connections everyday. Taking into account that opportunists will now be actively working to force normal users into activating the older encryption method for malicious purposes, privacy is an increasingly major concern with this release of information on yet another vulnerability in SSL.
What is being done?
To fix this, developers and admins need to disable the older version, and the ability to downgrade to it when other versions experience issues. It’s already in the works at the Browser and Hosting levels, and development and security authorities are calling for the immediate conclusion of its accepted use.
This will be relatively painless, as the only browser that still requires it active to be functional is Internet Explorer 6. The one task that will insure that this new disclosure, and the issues discovered won’t reveal encrypted data at a massive level, is for all browsers and websites to stop using SSLv3 and adopt the most modern and secure protocols as quickly as possible.
Sucuri Website Firewall Clients Protected
Any website running on the Sucuri Website Firewall (CloudProxy) is already proactively protected against this vulnerability. SSLv3 has been completely disabled for anyone using our product, and connections to a website protected by CloudProxy remain private and secure.
If your server or website is still supporting SSLv3, and there is a concern about private data being made available in the clear, adding the Sucuri CloudProxy product will virtually patch the vulnerability.