SSL 3.0: POODLE Vulnerability Update
Who it affects, how hackers could use it, and what you should do about it.
You’ve probably heard about the newest online security threat, POODLE. While not as menacing as Shellshock or Heartbleed, many are still concerned about its potential impact on their business or personal security.Here’s what we think: The chances of this vulnerability being used to compromise your sensitive information is relatively low. The successful exploitation of this attack requires such a large number of preconditions that the chance of this attack being used in the wild is low. This attack would probably only be a concern if you are likely to be targeted by a state-sponsored organization.
Here are the facts
- POODLE affects browsers with JavaScript enabled that support SSL 3.0
- The vulnerability could be used to retrieve authentication cookies that are encrypted via a man-in-the-middle attack
While this is a legitimate attack, the likelihood of being compromised via POODLE is very small.
Can I be compromised through POODLE?
Here’s an explanation of how an attack would have to take place in order for an attacker to exploit POODLE and assume the user’s identity on the target site.- The victim must be logged into a site using HTTPS (and the session cookie must not be expired)
- The victim must browse to another website over HTTP before the session cookie expires
- The attacker must write a custom JavaScript code to exploit POODLE. To date, no prepackaged tool has been published to exploit POODLE
- The attacker must inject ~5,000 requests in order to decrypt the session cookie
Our recommendations?
- If you are still using Internet Explorer 6, you are using an obsolete operating system that is no longer supported. You need to upgrade to a newer operating system. If upgrading is not an option, you need to update to a newer browser that does not support SSL 3.0.
- If you are running a webserver and currently support SSL 3.0, you need to evaluate your business requirements to determine if SSL 3.0 is currently being used. If it is not, simply disable SSL 3.0. Otherwise, develop a plan to disable it as soon as possible.