POODLE's bark is bigger than its bite

A flaw in the SSL encryption protocol leaves vulnerable systems open to attack, but it's an outdated protocol

Google researchers revealed a major flaw in the SSL encryption protocol--SSLv3 to be precise--which has been affectionately named "POODLE." The vulnerability is more serious than the silly name might suggest, and the news has garnered a lot of attention because of the potentially broad implications. But security experts assure us the sky is not falling.


POODLE is actually an acronym for "Padding Oracle On Downgraded Legacy Encryption." SSLv3 is rarely used today, but most Web browsers will negotiate a compatible encryption protocol when connecting to a site or server, and are capable of downgrading to SSLv3 if necessary. The POODLE attack relies in part on forcing the target browser to fall back to the legacy protocol, which has inherent weaknesses that can be exploited to allow the attacker to access the encrypted information.

Greg Foss, senior security research engineer for LogRhythm, points out that POODLE is just the latest vulnerability found in SSLv3. BEAST ruled the headlines a few years ago, and the flaw still exists. The only mitigation is to stop using SSLv3 and move to a more secure protocol, like TLS.

Why Does POODLE Matter?

Foss explains, "POODLE is something else, however the impact is similar to BEAST in that it allows for decryption of part of the message. Fundamentally, this vulnerability is the result of a design-flaw within SSLv3 in that it does not specify the contents of padding bytes, whereas TLS does."

Garve Hayes, solutions architect for NetIQ, blames Web admins and software vendors for choosing backward compatibility to an archaic protocol over security. "One of the culprits in this case is Internet Explorer 6. Why would anyone still be using this? Furthermore, why would you allow your servers to auto-negotiate down to a protocol supported by IE 6? I guess in this long-tail world, you never want to let even one customer get away."

Are You Vulnerable?

There's a fair chance that you're impacted by the POODLE flaw. Odds are good that your browser doesn't rely on SSLv3 by default, but because of the ability to fall back to the legacy protocol when necessary, a site or server that is only configured to connect using SSLv3 will force most browsers to cater to that request. You can check for yourself by visiting poodletest.com.

Being vulnerable in and of itself, however, is not enough. The attacker must also be on the same network as the vulnerable system in order to intercept and decrypt your SSLv3 traffic, so the actual threat in the real world is not as huge as some reports in the media make it seem.

What Should You Do?

According to Morey Haber, senior director of program management for BeyondTrust, the solution is relatively simple: Patch and update. "Upgrade your OS and browsers to the latest versions and continue to patch on a regular basis. Avoid end-of-life operating systems like Windows XP. For companies that are still using SSL3.0 on their websites, they need to think of their customers first and upgrade as well."

The major browsers are responding to the threat with updates that will disable SSLv3 and / or prevent the browser from downgrading to the vulnerable protocol. Greg Keizer of sister site Computerworld reported that Mozilla will disable SSLv3 effective with Firefox 34--scheduled for release on November 25. Google and Microsoft have both announced intentions to make similar changes, but they've not committed to a specific timeline. It seems safe to assume, though, that both Google and Microsoft will react as quickly as possible to protect customers.

In the meantime, you can manually disable SSLv3 compatibility in your browser. For example, in the Internet Options of Internet Explorer on the Advanced tab under Security, you can simply uncheck SSL 3.0 as an option. It is also possible to do in Firefox and Chrome, although the process may not be as simple.

The most obvious method of mounting a man-in-the-middle attack exploiting POODLE would be to set up a rogue Wi-Fi network and lure users into connecting to it. Itsik Mantin, director of security research for Imperva, stresses, "I think the most important thing from a user's perspective is to take extra caution when connecting to untrusted networks, in particular open Wi-Fi in public areas, and avoid visiting sensitive sites (e.g., banking applications)."

The bottom line is that POODLE is a threat, but its bark is worse than its bite. As long as you use operating systems and applications that are patched and updated, and follow basic security best practices such as not connecting to shady sites or servers, and not conducting online banking over an insecure public Wi-Fi network, you should be relatively safe.

Join the CSO newsletter!

Error: Please check your email address.

Tags GooglesecurityPOODLEOracleSSL encryptionSSLv3

More about AdvancedBeyondTrustGoogleHayesImpervaLogRhythmMicrosoftMozillaNetIQOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts