Just when we all thought that SSL / HTTPS was the solution to online security (OK, maybe a totally, overly simplistic view from somebody who admittedly does not really understand it well) we hear of a major security problem with SSL.
What is it all about?
I just learned about the SSLv3 Support vulnerability from CloudFlare, who I use to help speed up this blog. They posted on Facebook that they have already patched up CloudFlare to ensure that nobody can take advantage of the exploit.
The exploit was first reported by Google a day or so ago in a paper (pdf) called “This POODLE Bites: Exploiting The SSL 3.0 Fallback” by Bodo Möller, Thai Duong, Krzysztof Kotowicz.
In it they explain that SSL 3.0 [RFC6101] is an obsolete and insecure protocol, but some servers will fallback to it if its successors fail. Some cunning hackers have developed a way to force the fallback and then this provides the chance to exploit the security hole in SSL 3.0.
CloudFlare explained it as:
This specific vulnerability, which was just announced, targets SSLv3. The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol. Full details have been published by Google in a paper which dubs the bug POODLE (PDF).
It would be a good idea, if you use SSL, to check with your webhost that the vulnerability is properly patched.