New encryption bug behind 'poodle' attacks
Mozilla said it will disable Secure Sockets Layer (SSL) encryption in the latest version of its Firefox web browser that will be released on November 25 after a security bug called "Poodle" was discovered in a web encryption technology.
Three Google researchers uncovered the security bug in widely used web encryption technology that they say could allow hackers to steal data in what they have dubbed a "Poodle" attack.
"Poodle" stands for Padding Oracle On Downloaded Legacy Encryption.
The problem is an 18-year old encryption standard, known as SSL 3.0, which is still widely used in web browsers and websites. It was disclosed in a research paper published late on Tuesday on the website of the OpenSSL Project, a group that develops the most widely used type of SSL encryption software.
"By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user's private account data on a website," Mozilla said in its blog.
SSL 3.0 will be disabled by default in Firefox 34, Mozilla said. The code to disable the security protocol will be available shortly via Mozilla Nightly, an in-development version of Mozilla's browser.
Mozilla also said that Firefox 35 will support a generic Transport Layer Security (TLS) downgrade protection mechanism called SCSV (Signaling Cipher Suite Value), as a precautionary measure.
Servers supporting SCSV can prevent attacks that rely on insecure fallback.
Rumours that a new bug in OpenSSL software had been circulating on Twitter and technology news sites in recent days, prompting some corporate security professionals to prepare to respond to a major new threat this week.
So far this year, they have responded to April's "Heartbleed" bug in OpenSSL, which affected an estimated two-thirds of all websites and thousands of other technology products, as well as last month's "Shellshock" bug in a piece of Unix software known as Bash.
But security experts said that the bug disclosed on Tuesday, which could allow hackers to steal browser "cookies," was not as serious as the two prior bugs.
"It's quite complicated. It requires the attacker to have a privileged position in the network," said Ivan Ristic, director of application security research with Qualys and an expert in SSL.
Jeff Moss, founder of the Def Con hacking conference and an advisor to the US Department of Homeland Security, said that successful attackers could exploit the bug to steal session cookies in browsers, taking control of accounts for email providers, social networks and banks that use that technology.
To do that, however, they would need to launch a "man-in-the-middle" attack, placing themselves in between the victim and the websites they were visiting. One common approach is to create a rogue WiFi "hot spot" in an Internet cafe, he said.
Matthew Green, assistant research professor at Johns Hopkins University's department of computer science, said this vulnerability was not as bad as either Heartbleed, which allowed hackers to snoop or steal large quantities of data, or Shellshock, which could give attackers remote control of computers.
He advised businesses and computer uses to disable SSL 3.0 technology on their servers and browsers, a process that he said can be difficult for the average computer user.
"It's not going to take out the infrastructure of the Internet. But it's going to be a hassle to fix," he said.