Protecting yourself from POODLE attacks

Susan Bradley

No, this isn’t about Fluffy gone rogue. To keep our online browsing safe, we rely heavily security protocols — the “S” in HTTPS.

But a new exploit — POODLE — shows that commonly used security protocols aren’t as secure as we thought; websites and browsers will both need an upgrade.

Pulling a new trick on a very old dog

By now, it might seem that an exploit is serious only if it has a catchy name attached to it. (I won’t go down the list of clever names; doing so might get Windows Secrets blocked by overly cautious ISPs.) The latest threat is Padding Oracle On Downgraded Legacy EncryptionPOODLE, for short. That’s not a name that immediately brings viciousness to mind. As a poodle owner over the years, my greatest worry was being licked to death. But the recently revealed weakness in the Secure Sockets Layer (SSL) protocol that allows the POODLE exploit has the digital-security world worrying about a new round of nasty malware bites.

Perhaps most problematic, there’s no quick patch or easy fix; the flaw is hard-coded within SSL 3.0. As Scott Helme explains on his blog, the “attack, specifically against the SSLv3 protocol, allows an attacker to obtain the plaintext of certain parts of an SSL connection, such as the cookie.”

A note on terminology here: SSL and TLS (Transport Layer Security) are often referred to simply as SSL. However, TLS officially replaced the SSL 3.0 protocol over a decade ago. But like most things on the Web, the SSL 3.0 protocol lives on and is still in widespread use. (See the Wikipedia “Transport Layer Security” page for more details.) In short, the SSL protocols are all vulnerable; the TLS protocols, as far as we know, aren’t.

The POODLE exploit compromises the SSL protocol by forcing the server/browser connection to downgrade its TLS connection to SSL 3.0. That change allows leaks of cookie information, which could then lead to the disclosure of sensitive, personal information.

Fortunately, POODLE is not an easy exploit. It might take an attacker several hundred HTTPS requests before successfully forcing the Web server and a client browser to downgrade to a vulnerable SSL connection. On the other hand, the Web’s patchwork nature gives POODLE exploits an extremely large kennel to work in.

Protecting browsers from POODLE attacks

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2014-10-23:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.