By Poul Wann, Security Specialist
There has recently been a lot of attention given to the security issue commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption) against the SSL v3 protocol.
This security issue, due to its nature as a weakness within a protocol, affects many applications and devices.
SSL v3 was introduced by Netscape in 1995 and has been replaced in 1999 by TLS v1.0 which itself has seen continuous updates and refinements, most recently in 2008 with TLS v1.2. Each revision has introduced security hardening and better algorithms.
While there has been ample time to migrate away from SSL v3, it is still widely supported.
The POODLE security issue allows decryption of captured SSL v3 traffic by means of issuing multiple attacker-controlled requests and analyzing server responses via a Man-in-the-Middle attack.
While the flaw in SSL v3 is serious, a proper attack requires tricking a user with a vulnerable browser to visit a malicious website containing an actual exploitation script performing crafted requests.
The attack demonstrated by the authors is able to compromise confidentiality of a chosen SSL v3 session only, and does not allow for any further direct compromise.
Given the limited gain and high requirements for the attack to succeed, Secunia will only issue advisories for software and devices where there is a realistic vector for POODLE and where affected products cannot easily be configured to disallow SSLv3 traffic.
We encourage all users to disable SSL v3 support in all products where possible and e.g. utilize TLS v1.2 instead.
For more information, please see: