What is Poodle - SSL Vulnerability
The Poodle vulnerability allows hackers to exploit a buh in the SSL encryption protocol.Reuters

In the last eight months, internet users could be forgiven for thinking that the technology underpinning the web is essentially a leaky colander.

First we had Heartbleed in April, then Shellshock last month and this week we have been a paper published by Google on a bug known as Poodle.

The bug affects the SSL encryption technology and allows hackers to trick computers into sharing sensitive data which could give them access to your emails or social media accounts.

Here we look at just what the Poodle vulnerability is, how it works, whether you could be vulnerable and if it is as serious as Heartbleed or Shellshock.


What is POODLE?


Poodle stands for the Padding Oracle On Downgraded Legacy Encryption, and describes a vulnerability which was discovered in the way in which websites use SSL encryption to communicate with users or servers.

It was first uncovered by Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team who published a paper on the vulnerability this week entitled This POODLE Bites: Exploiting the SSL 3.0 Fallback.


What is SSL?


SSL (which stands for Secure Sockets Layer) is an encryption protocol used to protect communications between websites and computers and is represented by the small padlock icon you see on your browser.

The Poodle vulnerability only affects SSL 3.0, but the problem is that this is an 18-year-old encryption standard and therefore is not as secure as the most advanced methods of securing communications online.

Since SSL 3.0 came into effect, encryption standards have moved on and been replaced by the TLS (Transport Layer Security) protocols.


How does Poodle work?


If a website uses SSL 3.0 to encrypt traffic, then attackers could trick your computer to downgrade its encryption standards to SSL 3.0 to send information and, as this is an 18-year-old technology, there are a number of vulnerabilities which can be exploited.

However, while Shellshock and Heartbleed vulnerabilities could be exploited by someone on the other side of the world, for an attacker to successfully exploit Poodle, they would need to be physically close to their victim.

The most likely scenario, claims security expert Graham Cluley, "is if you are accessing the web using free Wi-Fi in a coffee shop, and don't notice the hacker sitting in the corner of the room – sniffing up your data as it flies through the airwaves."


Who is vulnerable?


Theoretically if you use a browser which supports SSL 3.0 then you are vulnerable. However, you will also need to be visiting a website which supports SSL 3.0 and while there are still some around, there are not that many.

While Google has advised all users and website administrators to disable SSL to protect themselves, what it really wants to happen is to move away from using SSL altogether - though this could take some time.

The good news is that it is relatively easy to check if you or the website you are visiting is vulnerable.


How to check if you are vulnerable to POODLE?


Poodle SSL Vulnerability
Poodletest.com

Just visit the imaginatively named Poodletest.com website and if you see a poodle, then your browser supports SSL 3.0 and you maybe vulnerable. If you see a Springfield Terrier, your browser doesn't support SSL 3.0.

To check if a website if vulnerable, then go to www.poodlescan.com and type in the URL. Unfortunately there are no pictures of poodles here.


How do I fix the problem?


Again, this is a relatively easy fix. You can simply instruct your browser not to support the SSL 3.0 standard and set the lower encryption standard to TLS 1.0, which is much more secure.

The problem of course is that you won't be able to visit the websites which continue to use SSL 3.0, though this is list is getting smaller and smaller.

Scott Helme has put together a comprehensive list of instructions on how to disable SSL 3.0 on Chrome, Firefox and Internet Explorer, as well as on servers running Apache, Nginix and IIS.


Is POODLE a serious threat?


Yes and No.

Because it requires a pretty strict set of circumstances to come together, the number of people vulnerable is limited. For a successful attack, the hacker much be physically close to someone running a browser which supports SSL 3.0 and is visiting a website which continues to use SSL 3.0.

Gavin Millard from Tenable Network Security says the threat from Poodle is not as worrying as recent similar threats:

"Whilst it's true that if successfully used, a malicious attacker could expose private data leading to further exploitation, POODLE is far from the severity of recent bugs like Heartbleed or Shellshock."

That said, if a hacker does manage to exploit the vulnerability they could steal something known as your session cookies, which would allow them to access your Gmail or Twitter accounts and from there, much worse problems could emerge.

Iain Wallace, security consultant at Nettitude, warned however that people should not be complacent about potential risks and not disregard this as just another threat:

"Data breach fatigue is another unfortunate consequence of the frequent reports of cyber incidents, but individuals and organisations must not be complacent regarding the risks. This latest vulnerability is another reminder of the need to continually update security software and ensure that a comprehensive and layered defence against the evolving cyber threat landscape is in place."