Researchers at Google recently uncovered a major flaw in the SSLv3 encryption protocol. The vulnerability is nicknamed Poodle – an acronym for padding oracle on downgraded legacy encryption – and attacks exploiting it rely in large part on the ability to force target browsers to fall back to the legacy protocol. The browsers inherently include weaknesses that hackers can take advantage of to access encrypted information.
An alert released by the U.S. computer emergency response team this week explained that the flaw rests within the way the protocol is designed to handle block cipher mode padding. When exploited by cybercriminals, it allows the decryption and extraction of information inside an encrypted transaction. In an interview with PCWorld, security expert Greg Foss noted that SSLv3 does not specify the contents of padding bytes, allowing for attackers to exploit the program.
Most Web browsers do not employ SSLv3 any longer, but the majority will still negotiate an encryption protocol compatible with the site or server they are connecting to and are capable of downgrading to SSLv3 if necessary. According to researchers with Google, SSLv3 support also still exists in order to work around problems from HTTPS servers that can block older browsers.
Use of outdated technology putting organizations at risk
In an interview with PCWorld, solutions architect Garve Hayes noted that part of what makes the flaw so dangerous is the fact that organizations are putting putting compatibility to aging protocols over the security of their systems.
“One of the culprits in this case is Internet Explorer 6,” Hayes explained. “Why would anyone still be using this? Furthermore, why would you allow your servers to auto-negotiate down to a protocol supported by IE 6? I guess in this long-tail world, you never want to let even one customer get away.”
The weaknesses inherent in these old systems are especially concerning for government agencies, which are notorious for using out-of-date browsers and operating systems liked IE 6 and Windows XP. It appears that the more modern Transportation Layer Security encryption protocol is not vulnerable to the Poodle flaw, making it a secure alternative for companies to employ. Organizations have no way of knowing what protocol the sites they are visiting utilize, however, so additional security measures should still be taken to ensure data protection. Techniques like two-factor authentication can help to provide an extra layer of security between malicious actors and sensitive information.