Hype for the vulnerability in SSLv3 was all bark and little bite On Tuesday, Google’s Bodo Möller, along with fellow researchers Thai Duong and Krzysztof Kotowicz, disclosed the existence of a vulnerability in SSLv3, which allows the plaintext of secure connections to be calculated by an attacker on the network.While the issue generated some hype late Monday, and most of the day on Tuesday, it turns out that the vulnerability is something that most researchers have speculated / known about for some time.According to the published advisory, the issue was discovered last month.Called the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, the problem centers on the fact that, in order to work with legacy servers, most TLS clients will downgrade each time a secure connection attempt (handshake) fails. In this case, if an attacker controls the network between the client and the server and prevents any connection offering TLS 1.0 or later, the next best option is SSLv3. “SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,” wrote Möller. This problem with SSLv3 has been around for a while, and many experts have called for the removal of SSLv3 because of it.While it isn’t a nightmare scenario, Man-in-the-Middle attacks are still serious problems, and in situations like this they stand a good chance of success because of the weaknesses in SSLv3.Full details of the attack and how it would work are available in the advisory.Google’s researchers recommend that SSLv3 be disabled in the client or server (even both) in order to prevent this attack, and others that rely on downgraded connections.“If either side supports only SSL 3.0, then all hope is gone, and a serious update [is] required to avoid insecure encryption,” the advisory explains.However, cutting out SSLv3 entirely and suddenly could cause issues if it’s needed for legacy systems. If that’s the case, then Google recommends implementing support of TLS_FALLBACK_SCSV. “This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks,” explained Möller. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe