Google Finds Web Security Flaw Which Makes Browsers Prone to Hacking
Engineers at Google have unearthed a major flaw named POODLE in Web encryption standard SSL 3.0. POODLE is a new security hole in Secure Socket Layer (SSL) 3.0 that makes the 15-year-old protocol nearly impossible to use safely, said Google security engineers Bodo Möller, Krzysztof Kotowicz and Thai Duong in a new report published on Tuesday.
This flaw allows encrypted information to be exposed by a hacker with access to the network. POODLE (Padding Oracle On Downgraded Legacy Encryption) has become an issue for experts because it’s used by websites as well as web browsers, so POODLE remains a problem as long as SSL 3.0 is supported.
However, the good news is that not much of the internet is entirely dependent on SSL 3.0 anymore, the reason it remains a problem is that hackers can force the browser to downgrade to SSL 3.0.
Experts have advised business and computer users to stop using SSL 3.0 technology on their servers and browsers. Google security experts Adam Langley has advised Chrome users to disable SSL 3.0 right away, and has advised to add this command to the browser: ssl-version-min=tls1
Mozilla security engineer Richard Barnes has advised Firefox users to install a Mozilla security add-on to disable SSL 3.0. There’s also an option if users do not want to use an add on, they can go to about: config and set security.tls.version.min to 1. Firefox 34 will include the fix when it launches in about six weeks.
Meanwhile, in Internet Explorer 7, users need to go to Internet options, click Advanced tab, uncheck SSLv3 and then click on the OK button.
Rumors of this new bug in OpenSSL software have been making rounds on Twitter and tech websites in the past few days. Google security expert Adam Langley states that the POODLE issue relies on a common exploit design in SSL and TLS. “SSL got encryption and authentication the wrong way around,” he said, “it authenticates before encrypting.”
If you don’t have the technological skillsets to do the above mentioned steps yourself, you can wait around for the next browser updates and be sure to update them.