Browser makers spell out anti-POODLE plans

The top three browser makers announced yesterday how they will deal with the design flaw in SSL 3.0 after researchers revealed that their "POODLE" attack method can steal encrypted information and pilfer browser session cookies.

The top three browser makers announced yesterday how they will deal with the design flaw in SSL 3.0 after researchers revealed that their "POODLE" attack method can steal encrypted information and pilfer browser session cookies.

Microsoft, Google and Mozilla all told users of their browsers -- Internet Explorer, Chrome and Firefox, respectively -- how they will handle the SSL 3.0 flaw, which cyber criminals could exploit using "man-in-the-middle" attacks to make off with session cookies. Those stolen cookies would let the hackers impersonate their victims, automatically logging into sites to, for example, make online purchases, read email or lift files from cloud storage services.

Mozilla was the most definite in its plans.

"SSLv3 will be disabled by default in Firefox 34, which will be released on Nov. 25," said Richard Barnes, a Mozilla security engineer, on a company blog Tuesday. "The code to disable it is landing today in Nightly, and will be promoted to Aurora and Beta in the next few weeks. This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3."

Nightly, Aurora and Beta are, in ascending order, the roughest to most-polished builds that Mozilla generates prior to shipping the final Firefox code for a specific version.

Client-side browsers must be updated to disable SSL 3.0, but as Barnes noted, site servers must be modified as well.

Google, whose engineers published details of the POODLE attack, would not commit to a timeline for disabling SSL 3.0 in Chrome, saying only, "In the coming months, we hope to remove support for SSL 3.0 completely from our client products."

Chrome -- and Google's servers -- have supported a mechanism called SCSV, for TLS Fallback Signaling Cipher Suite Value, since February, said Bodo Möller, one of the three Google security engineers who revealed POODLE, in a blog post. SCSV, which Mozilla will also support in Firefox 34, prevents attackers from inducing browsers to use SSL 3.0 as a fallback protocol.

Chrome was updated to version 38 last week, so the next opportunity for turning off SSL 3.0 will be Chrome 39, which could appear as soon as the second half of November, or around the time Firefox 34 ships.

Like Google, Microsoft declined to set a timetable for modifying Windows to back out of SSL 3.0 support. (Internet Explorer relies on the cryptographic code in Windows rather than embedding the functionality in the browser.)

In a security advisory issued Tuesday, Microsoft acknowledged that "all supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability," but used boilerplate language to describe how it would handle POODLE.

"Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," the advisory stated.

The next regularly-scheduled Patch Tuesday is Nov. 11.

Apple has, not surprisingly, said nothing about modifying Safari, since its policy is to not comment on ongoing security issues. But one should assume that it would drop support for SSL 3.0 with a future update as well.

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesFirefoxantispamGoogleMicrosoftsecurity

More about AppleGoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place