Have you recovered from the shock of facing two latest security threats in a row, when one new internet security flaw popped up – Poodle Bug? Yes, Padding Oracle on Downgraded Legacy Encryption (Poodle) bug marks to be the third security flaw discovered this year.
Poodle, a security bug in the widely used software – Secure Sockets Layer (SSL) 3.9 cryptography protocol (SSLv3), which is used to secure internet has been discovered by three researchers from Google. It is a security flaw in the web-encryption technology, which is believed to open doors for the hackers to take full charge over email, banking and several other online accounts.
Though Poodle bug is considered a big threat for every encrypted internet activity, but still it is considered to be less harmful than Heartbleed and Shellshock. Tal Klein, Vice President, Adallom said, “If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6”.
The important part that needs to be noted down over here is that this is not a flaw in the SSL Certificates, their private keys or in their design, instead the flaw lies in the old SSLv3 protocol. The good news over here is that the SSL Certificates are not affected by this security flaw and thus, the customers having the certificates on servers supporting SSL 3.0 are not required to replace them.
How does the Poodle bug work?
The network between the computer and the server is always under the prying eyes of attackers. Here, the attacker controlling the network between the computer and the server could interfere with the process used to verify which cryptography protocol can be used by the server. The security protocol used by the server is verified using a ‘protocol downgrade dance’. With the use of this technique, the computers are forced to use the older SSL 3.0 protocol to keep the data exchange secured. Now, the network is fully under the control of attackers and they can now exploit the bug using the man-in-the-middle (MITM) attack.
The attack can be used to decrypt the secured HTTP cookies, which could further allow them to steal information or take full control of user’s online accounts. Once, the bug is exploited-nothing is secured online.
Tips to fight back the Poodle Bug
Below given is the list of actions that you as a user can follow:
- At first, ensure that the SSL3.0 is disabled on your browser.
- Always check for secure ‘HTTPS’ while visiting any website to avoid MITM attacks.
- Keep a check at the notices from the vendors you use for the recommendation regarding software and password update.
- Try to avoid potential phishing emails coming to you from attackers to avoid going to any false website.
- Always try to stick with the official site domain.
Though every security flaw is scary, but you as a user have full control over the security of your online activities. You just need to avoid access through unencrypted modes and everything on your end will be secured.