Google Reveals ‘Poodle’ Web-Encryption Bug

The bug affects a 15-year-old encryption standard known as SSL 3.0, but is less severe than Heartbleed or Shellshock.

Another week, another Internet vulnerability uncovered: Google researchers have reported a Web encryption bug that allows hackers to infiltrate email, banking, and other online accounts.

Dubbed Poodle (for "Padding Oracle On Downgraded Legacy Encryption"), the threat affects a 15-year-old encryption standard known as SSL 3.0. But it is reportedly less severe than Heartbleed or Shellshock.

Existing in old software and nearly all browsers, the bug is not easy to apply: It requires a hacker to tap into the connection between you and your browser, referred to as a man-in-the-middle exploit.

"If Heartbleed/Shellshock merited a 10, then this attack is only around a 5," said Errata Security's Robert Graham.

So while you have little to worry about surfing the Web on a secure home connection, using the local coffee shop's unencrypted Wi-Fi makes it simpler for a nearby hacker to take complete control of your accounts.

The good news is they won't be able to steal your password.

Google researchers Bodo Mller, Thai Duong, and Krzysztof Kotowicz discovered the vulnerability, which unfortunately does not come with a quick fix.

Your best bet is to avoid SSL 3.0 entirely, and add a second mechanism called TLS_FALLBACK_SCSV, which will help solve the immediate problem and prevent future attacks.

Chrome and Firefox users can visit Googler Adam Langley's blog for more details on how to implement the patches.

Read the rest here:
Google Reveals 'Poodle' Web-Encryption Bug