Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

What is POODLE Vulnerability and How Does it Affect You ?

DZone's Guide to

What is POODLE Vulnerability and How Does it Affect You ?

· Cloud Zone
Free Resource

Linkerd, the open source service mesh for cloud native applications. Get the complete guide to using Linkerd and Kubernetes to build scalable, resilient applications.

What is POODLE?

It stands for “Padding Oracle On Downgraded Legacy Encryption.”.This means a protocol downgrade that allows exploits on an outdated form of encryption.It was first explained in Google Security Advisory.

Poodle
Poodle

To explain this in simpler terms, if an attacker using a Man-In-The-Middle attack can take control of a router at a public hotspot, they can force your browser to downgrade to SSL 3.0 (an older protocol) instead of using the much more modern TLS (Transport Layer Security), and then exploit a security hole in SSL to hijack your browser sessions and get useful information out of your session cookies to your accounts in Google,Yahoo or your bank too. Since this problem is in the protocol, anything that uses SSL is affected.

As long as both the server and the client (web browser) support SSL 3.0, the attacker can force a downgrade in the protocol, so even if your browser tries to use TLS, it ends up being forced to use SSL instead. The only answer is for either side or both sides to remove support for SSL, removing the possibility of being downgraded.

Impact

The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.)

How Can We Solve the Problem?

As a user, you want to protect yourself from attacks, and the best way to do that is to disable SSL 3 in your browser.

As a web site operator, you should disable SSL 3 on your servers as soon as possible. You need to do this even if you support the most recent TLS version because an active MITM attacker can force browsers to downgrade their connections all the way down to SSL 3, which can then be exploited

Microsoft Advisory -

https://technet.microsoft.com/en-us/library/security/3009008.aspx

References

Linkerd, the open source service mesh for cloud native applications. Get the complete guide to using Linkerd and Kubernetes to build scalable, resilient applications.

Topics:

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}