Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz have discovered a flaw in SSL 3.0’s design that makes it susceptible to attacks with POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption. POODLE was developed by the three at Google for their research paper. Lets start of by explaining what each of these things are in more detail.
SSL 3.0
SSL (secure sockets layer) 3.0 is used by web browsers to encrypts data between a client and server and secures most data sent over the Internet. SSL 3.0 is over 15 years old and has been replaced by TLS 1.0, TLS 1.1, and TLS 1.2 but the reason why SSL 3.0 is still a problem is because many servers are backwards compatible. Servers keep this backwards compatibility to maintain the user’s experience. In a case where someone is still using SSL 3.0 for their browsers, servers still want to be able to let these users access a website without getting SSL encryption errors.
POODLE
POODLE (Padding Oracle On Downgraded Legacy Encryption) is an attack that was developed by Bodo Möller, Thai Duong and Krzysztof Kotowicz to exploit the flaw in design with SSL 3.0. POODLE can steal a users HTTP cookies, authorization tokens and other data, thus gaining access to their usernames and passwords to anything from email to social media accounts to online banking accounts.
Many servers and browsers now use the updated TLS 1.0, TLS 1.1, and TLS 1.2 encryption but because many servers and browsers maintain this backwards compatibility to SSL 3.0, the POODLE attack causes failed connections or glitches with up to date security protocols so browsers will automatically down grade to try older security protocols, in this case, the vulnerable SSL 3.0 encryption.
Should I Be Worried?
While SSL 3.0 does have a major flaw in its design, not many browsers use it because it is over 15 years old. The most vulnerable would be if you are still using Windows Internet Explorer 6 on Windows XP. In the coming weeks, browsers will be coming out with patches to prevent this backwards compatibility from occurring. Also, if an attacker were to try to steal your information, they would need access to the network that you were connected to. You should be safe on your password protected home network. The most possible place of getting attacked would be while using public Wi-Fi such as at an airport, coffee shop or restaurant.