Oct 15, 2014 · 2 minutes

Google researchers have discovered a vulnerability in the popular Secure Sockets Layer (SSL) tool that could allow attackers to perform so-called "man-in-the-middle" attacks to access encrypted private information. The vulnerability is called POODLE, and even though the majority of Web browsers have been updated to a version of SSL that doesn't feature the bug, hackers can force the browsers to use older, vulnerable versions of SSL to enable their attacks.

One of the researchers who discovered the POODLE bug explained the severity of the problem:

This should be an academic curiosity because SSLv3 was deprecated very nearly 15 years ago. However, the Internet is vast and full of bugs. The vastness means that a non-trivial number of SSLv3 servers still exist and workarounds for the bugs mean that an attacker can convince a browser to use SSLv3 even when both the browser and server support a more recent version. Thus, this attack is widely applicable.
It hasn't been a good year for digital security. First researchers revealed the Heartbleed bug, which was said to leave some two-thirds of the Internet vulnerable to attack, and still plagues many consumers because tech companies haven't updated their older products to address the bug. Then researchers revealed Shellshock, a problem with many Unix-based operating systems that could allow attackers to gain complete access to vulnerable devices, like those at Yahoo.

And those are just the problems that affect consumer web technologies. It doesn't include issues created by faulty security protocols at companies like the Home Depot, or the data breaches at  Target, Kmart, and JPMorgan Chase. Anyone who thought their information was secure has probably at least questioned that belief in the wake of these issues.

POODLE won't be as hard to address as these other issues, which require updates to newer versions of security tools for countless websites. That isn't the case with POODLE; all it requires to fix is a decision not to use the vulnerable version of SSL, something which CloudFlare, Twitter, and others have already done, even though it causes problems for some Internet Explorer users.

Given all the problems that require changed passwords, updated security tools, or new credit cards, something as easy to fix -- and frustrating to exploit -- as POODLE is almost like a breath of fresh air. It's still bad news for anyone affected by the bug, but it also shows that some of these problems can be fixed, which is exactly what crisis-weary consumers probably needed.

[photo by Greg Westfall]