There’s a new security bug in town. Technically, it is called CVE-2014-3566, and elsewhere, as the Poodle Bug. Three Google engineers have discovered this security vulnerability in SSL version 3. Let’s know how this vulnerability may affect you.
SSL (Secure Sockets Layer) is an encryption service that keeps your Internet communications (such as your connection to your bank’s website, online shopping site, etc.) private and from getting into the wrong hands.
How POODLE bug affects SSL 3.0
SSL 3.0 is an 18-year old technology. Although stronger encryption technologies such as TLS (Transport Layer Security) are now in force, SSL 3.0 is still used in 1% of web traffic, and supported by 95% of web browsers.
Coming to POODLE, it stands for ‘Padding Oracle On Downgraded Legacy Encryption’. It is a security flaw that exists in SSL version 3. Under the right conditions, the POODLE bug can allow an attacker to access your session cookies. With this information at hand, an attacker can take control of your online accounts including your email, banking and social networking account.
Now all this may sound scary, but the POODLE bug is not as threatening as Heartbleed or Shellshock that took the Internet by storm. It is hard to exploit.
So, Why POODLE should not worry you much? Here’s why!
An attacker who intends to use the POODLE vulnerability, has to come in between you and the website you are visiting. And one of the most likely ways an attacker can do this is when you are accessing your online account on an unsecured public Wi-Fi network.
So, is disabling SSL 3.0 support a solution?
While disabling SSL 3.0 support will mitigate the risk, it might present compatibility problems with older web browsers and servers. So, for now, end users can take the following measures:
1. Avoid accessing online accounts on unsecured Wi-Fi; this even includes your instant messaging services like WhatsApp.
2. Ensure that your browser is configured to automatic updates.
The POODLE bug story is developing. We will keep you posted about this as we collect more information. Stay tuned to our blog, and stay safe!