Saturday04 February 2023

After Two Major Bugs and Poodle Security Experts Say it is Time to Upgrade the Internet.

Reading time is around minutes.

Yesterday morning we told you about a rumored bug in an older encryption protocol, SSL 3.0. Today the details of this bug were released and although it looks bad, it might not be as big as first hinted. The bug has been called Poodle (Padding Oracle On Downloaded Legacy Encryption) and has sparked many articles with clever lines about dogs and biting people… For all of that nonsense this is not something that is going to go away and highlights a major issue in how we communicate over the internet.

To put this in simple terms SSL 3.0 should not even be an issue anymore as it is a rather old encryption standard (about 18 years old) and has been replaced in most cases by TLS (Transport Layer Security). Yet it is enabled by default on most modern browsers. Even looking at IE 11 on Windows 8.1 with all the latest updates we find SSL 3.0 enabled. Having this enabled means that someone could potentially force you to use that protocol and then grab information from your session using some pretty common tools including basic Java Script. Granted the attacker would have to use a pretty advanced man-in-the-middle attack to do that, but it is certainly possible.

On the other hand, if you end up connecting to a site or service that is only setup to use SSL 3.0 then you can end up in even worse shape as the session can be decrypted and information stolen including session cookies.

Even with the severity of the bug most are not worried about it just yet. Until they start seeing an increase in attacks that force the use of SSL 3.0 this bug will only effect about 1% of the traffic on the web (which is still a lot of people). What is worrying researchers is that this is the third large scale bug that has been found in core way we move traffic and control devices on the internet.

We had Heartbleed, then Shellshock and now Poodle. All of these are signs that some of the basic protocols used on the internet need to be drastically changed or updated. This means that both hardware manufacturer and software developers need to move away from the use of older and less secure methods of communication. A review of current protocols and how to replace them needs to happen along with this fundamental shift in thought process.

From everything we are hearing these three flaws are not the last to be unveiled in the coming months. There has been a lot of chatter in the darker areas of the web about flaws that have already been found in patches that were just put out on Monday so you know that the breaches and Malware are still going to be there. As a friend of my said recently: “to work in IT these days you have to be a grey hat and a dark grey one at that”. It is a pretty accurate statement and highlights that the industry needs to start thinking like the bad guys would so we can stop hearing the excuse “We never thought of that” when the next flaw hits the headlines…

Tell us what you think in our Forum

Last modified on Wednesday, 15 October 2014 10:35

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.