The POODLE bug internet vulnerability! Watch this video then check your browser

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

In case you haven’t heard, the boffins at Google have discovered a vulnerability that is pretty serious.

It’s not as bad as Heartbleed or the Shellshock Bash bug, but it’s not the kind of thing you want a malicious hacker to exploit anywhere near you.

It’s called the POODLE vulnerability, or as I like to think of it “the POODLE bug”.

Learn more in the following video:

The POODLE bug! SSL vulnerability explained | Graham Cluley

POODLE stands for “Padding Oracle On Downgraded Legacy Encryption”, and it’s a way of intercepting supposedly secure SSL communications between your computer and a website.

If everything is working properly, SSL should be one of the ways in which your internet communications are secured.

Sign up to our free newsletter.
Security news, advice, and tips.

But POODLE provides a way for attackers to trick your computer not to use the latest and greatest encryption for its internet communications, but use SSL 3.0 instead. And SSL 3.0 is about 18 years old, contains bugs, and was long ago superceded by stronger technologies.

The good news is that, unlike Heartbleed or Shellshock, anyone who wants to POODLE you has to get in between your computer and a website that you’re visiting. The most likely way they are going to do that is if you are accessing the web using free WiFi in a coffee shop, and don’t notice the hacker sitting in the corner of the room – sniffing up your data as it flies through the airwaves.

What they can’t do is attack you from the other side of the world.

PoodleFurthermore, it appears that a successful POODLE attack (a POODLE bite?) is most likely to be able to steal your session cookies, rather than everything you are transmitting back and forth over the web. But if a hacker manages to grab those, they could still read your webmail messages, or post tweets in your name, and cause all kinds of other mischief.

As I explain in the video, you can test your browser by visiting sites like the ever-so-cute www.poodletest.com, and test websites with www.poodlescan.com

If possible, set the minimum version of SSL that your web browser will support to TLS version 1.

Scott Helme has helpfully described how to disable SSL 3.0 in all major browsers and server platforms here.

Further reading:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “The POODLE bug internet vulnerability! Watch this video then check your browser”

  1. Lewis Morgan

    Useful as always, thanks.

    Also, you forgot the 'f' in furthermore

  2. Coyote

    Google found it you say? Funny, check this:

    "google.com:443 (173.194.33.104) – Vulnerable"

    As for the issue, indeed SSL has always and will always have problems… and TLS isn't exactly perfect either. Once you expanded the acronym I had a suspicion it was indeed what you went to go on to explain. I'm rather perplexed that this is only being brought up now. To be fair I didn't watch the video (yet) and so maybe it is yet another method of doing this (somehow suspect this indeed the case).

    1. Coyote · in reply to Coyote

      Ah, I see. They are phasing it out. Good. I didn't know they were using it, though (is a long time that SSLv3 is recommended). And as for the exploit, reading the PDF at openssl, it somehow reminds me of ssh in that it has a fall-back IF the server supports it (and only a very naive administrator would allow ssh v1). Interesting to think about it in those terms, however: with websites having a need to encrypt data – e.g., credit card/similar – they also need to make sure it works for all their customers. Yet this is a problem itself for this exploit as well as others. So how to address it? Do you miss out on some customers or do you risk? And even more than that, different departments in the corporation are going to have different views, experience and in the end one decides and it might not be the best choice.

      Once again, it only proves more so that there are so many variables and one person's experience someone else. The trick is merging all experience together and that is unfortunately never going to happen as there's always something new (whether that is a new exploit, a new view, a new… anything, isn't really relevant). That's not even taking in to account who has the final say in a decision.

      1. Coyote · in reply to Coyote

        (one person's experience is not the same as someone else and their experience. and this is both positive and negative. hopefully my mutilated sentence, above, is – if you excuse it – patched up now).

  3. John UK

    My Sony KDL- 42W653A Smart TV just recently received a security update that Enables TLS1.0 so it's good to see that things seem to be moving in the right direction at least .

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.