A
bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography
protocol (SSLv3) which could be exploited to intercept data that is
supposed to be encrypted between computers and servers. Three Google
security researchers discovered the flaw and detailed how it could be
exploited through what they called a Padding Oracle On Downgraded
Legacy Encryption (POODLE) attack (CVE-2014-3566).
It
is important to note that this is NOT a flaw in SSL certificates,
their private keys or their design but in the old SSLv3 protocol. SSL
Certificates are not affected and customers with certificates on
servers supporting SSL 3.0 do not need to replace them.
This
flaw is highly likely not to be as serious as the Heartbleed bug in
OpenSSL, since the attacker needs to have a privileged position
in the network to exploit the latest. The usage of Hotspots,
public Wi-Fi, makes this attack a real problem. This type of attack
is a “Man-in-the-middle” attack.
Solution:
- Check to see if SSL 3.0 is disabled on your browser (for example in Internet Explorer it is under Internet Options, Advanced Settings).
- Make sure “HTTPS” is always on the websites you visit to avoid MITM attacks.
- Monitor any notices from the vendors who you use regarding recommendations to update software or passwords.
- Avoid potential phishing emails from attackers who ask you to update your password. Stick with the official site domain to avoid going to an impersonated website.
No comments:
Post a Comment