A trio of Google researchers published a troubling bug today, sending much of the web into panic mode to ensure systems were adequately secure. The report describes a POODLE attack (short for "Padding Oracle On Downgraded Legacy Encryption") that would effectively circumvent SSL protections, the same protocol targeted by Heartbleed earlier this year. This bug, also known as "Poodlebleed," is not as serious or as far-reaching as Heartbleed, but has still raised alarms in the research community.
Also known as "Poodlebleed"
SSL protects data in transit between a website and a user, usually indicated by a green padlock icon and an HTTPS url. If SSL is compromised, a sophisticated attacker could intercept and replace data in transit, opening the door to all manner of attack. Rumors have been circulating all day that SSL was insecure, but this report explains the bug in detail, giving admins a head start in fixing the bug as well as providing would-be attackers with a road map for exploiting the bug.
The Poodle attack targets SSL version 3.0 in particular, which was replaced 15 years ago but is still supported by many systems and can be triggered under the right circumstances. As a result, researchers are urging sysadmins to discontinue SSL 3.0 support, which should be sufficient to prevent the Poodle attack. "If either side supports only SSL 3.0, then all hope is gone," the report says, "and a serious update required to avoid insecure encryption." Further details can be found here.