When you talk on the Internet, you need to agree on a language with which to communicate. What if you want to talk privately? Well, there’s encryption for that. But just like any other sort of communication, you also need to have a form of encryption that you can use mutually with whomever you’re talking to. Since not all browsers use the same algorithms, servers sometimes have to retain compatibility with algorithms that can be quite dangerous. Google has just recently discovered an exploit that at this moment can affect millions of browsers worldwide that use such an algorithm, and we’re going to talk about it!
Remember that Heartbleed bug that was being reported in almost every tech website? Here’s the run-down if you don’t want to read an entire wall of text: OpenSSL (the encryption algorithm library used by many websites around the world) had a hole in it. Most medium and large websites plugged it up successfully by simply upgrading OpenSSL. That was all done and dusted until something else happened.
This time, what is being known as the POODLE exploit is once again plaguing Secure Sockets Layer (SSL), albeit a different version of it entirely. SSL 3.0 has a serious bug that allows hackers to easily decrypt cookies sent over the HTTP protocol. This will let them see personal information belonging to your login session and even allow them to impersonate you.
SSL 3.0 is very old cryptography, dating back to the times when MySpace was still gaining traction as a social media website. In fact, the term “social media” wasn’t even very popular back then. Many of today’s millenials were either entering their teenage years or still playing in the dirt at recess in fifth grade. That’s how old it is, and servers are still using it!
Since then some major improvements have been made, such as Transport Layer Security (TLS). This new cryptographic protocol eliminates many of the big issues that were present in SSL, such as vulnerabilities that led to certain attacks (such as cipher block chaining which was resolved in TLS 1.1). The only reason TLS needed a new acronym was that it was no longer “interoperable” in SSL. What we industrial know-it-alls mean when we say that something is “interoperable” is that it’s able to work with older versions of something.
So, SSL 3.0 is dead and now we’re using something known as TLS 1.2. The only problem is that there are still many browsers using SSL 3.0 for data transmission. Servers still support it as a safe fallback in case the browsers connecting to them do not support TLS. The worst part is that even if your browser advertises its compatibility with TLS, there’s no guarantee that the server won’t respond with SSL 3.0. Hackers can use this to force your browser and the servers sending you data to stick to the old protocol. For this reason and this reason only, the POODLE exploit is still a big deal.
Google has a proposal: Why don’t we just stop supporting SSL 3.0 and prompt everyone using it to upgrade? For people running servers and browser developers, the best advice from Google is to support TLS_FALLBACK-SCSV. Put simply, stop accepting SSL connections and only accept those on TLS.
Right now, Google says that it’s working on changes to Chrome to prevent it from falling back to SSL. Other browser developers may follow suit.
My best advice to you is to keep your browser up to date and make sure you don’t go to sites that you don’t trust. Other than that, you can also email website administrators with your concerns and link them to this article.