What is SSL3.0 POODLE?
POODLE allows for encrypted communication using the SSLv3 protocol to be decrypted, revealing the plaintext contents. It is slow to exploit, however with persistence it will work against any SSLv3 implementation using Cipher Block Chaining (CBC) ciphersuites.
Vulnerability Disclosed in SSL 3.0 Poodle
It seems that SSL just cannot stay out of the news. Another vulnerability, this time in SSL 3.0, has been disclosed at the Google Online Security Blog. While SSL 3.0 has already been around for almost 15 years, it’s still being used throughout the Web, and nearly every browser supports it.
The key point though, is that even though newer and more secure versions of SSL are out and are being used, browsers work with older protocols when connections fail. This means an attacker can cause connection problems with the intent of triggering a deprecated version of SSL, leading to the exploitation of the service, and allowing for once-encrypted information to be seen in plain-text.
The newly disclosed vulnerability in SSL 3.0 does exactly this. Dubbed POODLE as an acronym for Padding Oracle On Downgraded Legacy Encryption, researchers have shown that because of the widespread support for this, an attacker can assume it will be easy to find a situation where an SSLv3 connection can be forced and put to use for capturing data.
Who does this affect?
Before the disclosure, nearly all browsers and wordpress were backwards compatible with the older encryption version of SSL. Servers all over the Internet are still allowing SSL 3.0, so it is definitely an active threat to users thinking that they are sending sensitive information privately to a receiving wordpress. While Mozilla only accounts for .3% of all its users’ HTTPS traffic to be over the vulnerable version, that is still millions of sensitive connections everyday. Taking into account that opportunists will now be actively working to force normal users into activating the older encryption method for malicious purposes, privacy is an increasingly major concern with this release of information on yet another vulnerability in SSL.
What is being done?
To fix this, developers and admins need to disable the older version, and the ability to downgrade to it when other versions experience issues. It’s already in the works at the Browser and Hosting levels, and development and security authorities are calling for the immediate conclusion of its accepted use.