A security team of Google has discovered a serious security vulnerability (SSL) 3.0 Secure Sockets Layer. It steals the security of user confidential data, This attack is known as POODLE and it was discovered by researchers at Google, SSL 3.0 are still widely used. By using this vulnerability many of the attackers get the access of things like hack the passwords and cookies.
SSL 3.0 is an insecure protocol and it has been taken over TLS 1.0, TLS 1.1, the TLS 1.2, but for many of the TLS implementation corresponds to the legacy system, to facilitate the user experience, and maintains backward compatibility with SSL 3.0
Normally, the security handshake protocol to negotiate the version of the authenticated. In this way, the latest version of the protocol that is common to both the client and the server is used.
However, the problem that causes the damage here is lurking. If the server and “client supports TLS one version of both security levels SSL 3.0 provides equivalent still., Down grade the protocol, many clients interoperability problems on the server side tries to deal with “(Moeller Mr.Mr. Bodo Moeller researcher working the same team).
In one case of attack called (POODLE) Padding Oracle On Downgraded Legacy Encryption, it’s possible for an attacker to steal “secure” or HTTP cookies, such as the contents of the HTTP Authorization header, the taken without the signature of the other. This security hole, RC4 encryption thing that is broken in SSL 3.0.
Beginning of the RC4 encryption dates back to 1987, I’m getting the reliability of the car par from the year exactly. There are several ways to decrypt the RC4. But be that, did not end the use of SSL 3.0 and RC4. In fact, Microsoft says that even though in 2013, RC4 is being used in over 40% of the web still connected.
POODLE showed a new way to exploit this vulnerability that exists on the web today. According to the description of Moeller’s, it is made possible by utilizing a form of man-in-the-middle attacks known as the BEAST.
The attack by POODLE, it is necessary to establish a connection 3.0 SSL. Therefore, if you disable the SSL 3.0 in either the client or server or web browser, client program, as its representative, the user’s possible to avoid this attack. However, as Mr. Moeller pointed out, have it in the case of only to share their “encryption” protocol is SSL 3.0. In this case, it’s needs to be updated in earnest in order to avoid the encryption unsafe.
Google is recommended to be supported by the SSH server or web TLS_FALLBACK_SCSV. As a result, it is possible to prevent the server allows a retry of failed connection. As a result, it is possible to prevent the use of default SSL 3.0 when it cannot connect with the latest protocol browser.
Mr. Moeller is Concluded as Follows
Since February, our server that support TLS_FALLBACK_SCSV as “” Google Chrome “. Therefore, have obtained enough evidence that can be used without any compatibility issues. Additionally, today, Google Chrome is SSL plans to start testing of changes to disable the fallback to 3.0. This change may have an impact on some sites, but it is necessary to receive updates immediately those sites. Coming months I have the hope that support for 3.0 SSL is removed from the client products “