POODLE SSL vulnerability doesn't equal Heartbleed, but still bad

Google researchers have uncovered a new SSL 3.0 vulnerability dubbed POODLE that could allow attackers to compromise secure Web communications, though appears less serious than Heartbleed.

The rumor mill went into overdrive earlier this week with chatter that another SSL vulnerability -- on par with the infamous Heartbleed bug -- was set to be revealed. On Tuesday, a trio of Google Inc. researchers did in fact release details on a newly uncovered flaw in SSL 3.0 that experts say is worrisome, but not overly so.

On Tuesday, Bodo Möller, Thai Duong and Krzysztof Kotowicz, all members of the Google security team, released a research paper that details the POODLE (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability. The problem exists in the nearly 15-year-old version 3.0 of the SSL protocol, which would normally not be cause for concern, as the Web has largely moved on to its successor, the more secure Transport Layer Security (TLS) protocol.

What makes POODLE relevant though, according to the researchers, is that major Web browsers, including Google's Chrome and Mozilla's Firefox, still support SSL 3.0 for those fringe cases when they can't connect to an HTTPS server using more modern protocols.

Falling back to SSL 3.0 is problematic because it still uses the long-broken RC4 encryption cipher, meaning that if attackers can situate themselves between a server and client, they can eventually break the RC4 encryption (after enough transmissions have been delivered), ultimately revealing the contents of HTTPS cookies.

The Google researchers noted that elements of the BEAST SSL attack, which Duong had previously researched, could be used to successfully exploit the POODLE flaw. Google security engineer Adam Langley said in a blog post that POODLE is more severe than BEAST because BEAST required "extensive control of the format of the plaintext."

"Unlike with the BEAST and Lucky 13 attacks, there is no reasonable workaround," said the researchers in their paper, noting that simply disabling support for SSL 3.0 could cause compatibility problems. "This leaves us with no secure SSL 3.0 cipher suites at all: to achieve secure encryption, SSL 3.0 must be avoided entirely."

In response to the research, Möller advocated in the Google blog post for sites to enable TLS_FALLBACK_SCSV, which he said Google has supported in Chrome and its servers since February. He added that Google has begun testing changes that disable the fallback mechanism to SSL 3.0, which could force some sites to update if broken.

The Mozilla security team also announced plans to follow in Google's footsteps, stating in a blog post the company will disabe support for SSL 3.0 in Firefox 34, set for release on Nov. 25, and enable the downgrade protection mechanism TLS_FALLBACK_SCSV in Firefox 35. For users concerned about the impact of POODLE, Mozilla also released a browser extension that disables SSL 3.0.

POODLE SSL attacks difficult to execute

While POODLE could undoubtedly have grim consequences in cases where an exploit is successful, a number of security experts have said that the practicality of an attack using the SSL vulnerability means it's not as severe as some had originally anticipated.

Errata Security CEO Rob Graham said in a blog post that POODLE doesn't stack up to some of the more severe vulnerabilities that have been uncovered this year because it relies on a man-in-the-middle attack to successfully exploit it. That requires an attacker to sit between a server and browser, Graham added, which is only really possible if the attacker can either tap the backbone of the Internet like the NSA, or in cases where a user is relying on an unencrypted Internet connection like at a coffee shop.

Graham also speculated that attackers would more than likely be unable to glean sensitive data like passwords from decrypted cookies, but may be able to log in to accounts if a user is also actively logged in. For instance, an attacker could post tweets form a user's Twitter account or read email messages.

"Heartbleed and Shellshock allowed hacks against servers (meaning websites and such). POODLE allows hacking clients (your webbrowser and such)," stated Graham in his blog. "If Hearbleed/Shellshock merited a 10, then this attack is only around a 5."

Matthew Green, research professor at John Hopkins University and noted cryptographer, agreed in a blog post that this SSL vulnerability is "not another Heartbleed" and as such won't have a dire effect on Internet security.

Still, POODLE again proves how dependent Internet communications can be on completely outdated protocols, Green added, when browser vendors are more concerned about a user simply being able to connect to a site than doing so securely.

"Hopefully this will be the straw that breaks the camel's back and gets us to abandon obsolete protocols like SSLv3. But nobody [ever] went bankrupt betting on insecurity," said Green in his blog post. "It's possible that ten years from now we'll still be talking about ways to work around POODLE and its virulent flesh-eating offspring. All we can do is hope that reason will prevail."

Dig Deeper on IPv6 security and network protocols security