Earlier this month a newly discovered flaw was discovered by Google researchers that exploits an outdated encryption protocol, Secure Sockets Layer version 3 (SSLv3). SSLv3 protects secure web links and safeguards connections your browser makes to financial institutions, email providers and social networks, just to name a few. Called POODLE (Padding Oracle on Downgraded Legacy Encryption), the bug allows web sessions and transactions to be hijacked, revealing session cookies that can be used to access sensitive information.
A session cookie is a bit of data your browser uses to identify you. With this piece of information, a hacker can mimic their victims by logging into sites to make online purchases, access bank accounts and read email. Although SSLv3 is nearly obsolete, it is still used in some places on the web. It is supported by nearly all web browsers in use today, including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer (IE).
Mozilla said they would remove SSLv3 from the next version of Firefox, slated for release November 25. Google says they plan to disable SSLv3 at some point, but has not given a definitive timeline. The IE 7 browser allows users to turn off the SSLv3 function, but disabling the protocol altogether will involve a patch to the Windows operating system. The next security updates for Windows were scheduled to reach users on November 11.
POODLE is just the most recent example of a long list of severe encryption vulnerabilities that are leading to increasing concern around the security of web traffic, especially via public, unencrypted Wi-Fi networks.
As a frequent web user, how can you protect yourself from POODLE? It is important to be vigilant using unencrypted, public WiFi networks until browsers have disabled support for SSLv3. Connecting to WPA2-Enterprise and authenticating via 802.1X ensures all network traffic is safe and prevents intruders from conducting a variety of malicious attacks. As the risks and public awareness of these attacks continue to grow, service providers should consider offering encrypted Wi-Fi to their users.