Remember when security researchers found a vulnerability in OpenSSL that potentially put the entire world at risk of having their data compromised? Well, Heartbleed appears not to be the end of these vulnerabilities. Well, Google has found another vulnerability in an older version of SSL, in SSL 3.0. Thankfully, SSL 3.0 has mostly been replaced by TLS 1.0, TLS 1.1 and TLS 1.2 but many of those systems still have SSL 3.0 as a backup in the event of a need to support this legacy protocol.
Three Google security researchers published a paper back in September called This POODLE bites: Exploiting the SSL 3.0 Fallback in that document, Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google basically state upfront that SSL 3.0 is obsolete and insecure and that’s why most companies, websites and overall the world no longer uses it. However, because some implementations keep SSL 3.0 as a legacy support feature, there are some security vulnerabilities that can be exploited as a result of this. They also say, by simply disabling SSL 3.0 you can completely avoid this vulnerability as a whole. They call the attack that happens as a result of the downgrade to SSL 3.0 the POODLE (Padding Oracle On Downgraded Legacy Encryption) which allows them to steal “secure” HTTP cookies or any bearer tokens.
If you can’t disable SSL 3.0 for one reason or another in your setup, then they’ve provided for a detailed solution which helps work around this fallback vulnerability. Realistically this is nowhere near as scary as Heartbleed or Shellshock which are more broadly vulnerable on more systems and create a much greater effect on the victim’s data. But nonetheless, this is something that system administrators need to address on their own secure implementations in order to ensure that they do not become exposed to this SSL 3.0 Poodle attack.