First there was Heartbleed, then Shellshock, and now Poodle, yet another serious security vulnerability in yet another widely used piece of software that went unnoticed for years.
This time, the Poodle vulnerability — which stands for Padding Oracle On Downloaded Legacy Encryption — was found in a 15-year-old web encryption technology called SSL 3.0. SSL, which stands for Secure Socket Layer, is the technology that encrypts a user’s browsing session, making it difficult for anyone using the public Wi-Fi at Starbucks, for instance, to eavesdrop. The Poodle bug makes it possible for hackers to eavesdrop on a user’s web browsing, especially when they’re connected via a public Wi-Fi network and hijack their victim’s browsing session and do things like take over their email, online banking, or social networking account.
Three researchers at Google, Bodo Möller, Thai Duong, Krzysztof Kotowicz, disclosed details of a Poodle attack in a report last month. Rumors of the bug have leaked over the last few days, prompting the OpenSSL Project, which develops the most widely used type of SSL encryption software, to publish the report on Tuesday. The advisory prompted makers of web browsers, and server software, as well as some technology companies, to disable support for SSL 3.0.
Security researchers say that the Poodle bug is more innocuous than Heartbleed or Shellshock. For one, they note that SSL 3.0 has been largely superseded by a newer encryption protocol called Transport Layer Security, or TLS. Also, to pull off an a Poodle attack, security researchers say that the victim has to be actively online and physically close to the attacker — say, using the same public Wi-Fi.
Bodo Möller, one of the three Google researchers who discovered the bug, suggested a workaround on Google’s blog to secure web servers, but added that Google would remove support for SSL 3.0 from future customer software.
Mozilla said it would disable SSL 3.0 in the next version of the Firefox browser, which it plans to release on Nov. 25, and suggested browsers and websites turn off the feature in the meantime. Other companies, like Twitter, said they had disabled support for SSL 3.0 and that some users may need to update their browsers to use the service.