It’s recently been discovered that a variant of the POODLE attack, which has the potential to allow attackers to decrypt the content of HTTPS connections, can be carried out against sites using some implementations of the TLS protocol. It was previously believed that POODLE was only effective against SSL 3.0, an outdated version of the encryption protocol. It appears that around 10 percent of the most trafficked sites on the web are vulnerable to POODLE-type attacks, including some banks.
But the new POODLE is little easier to implement than the old POODLE. In addition to the padding attack, because the original POODLE vulnerability focused on an old version of SSL, the attacker had to “trick” browsers into downgrading the connection from the more secure TLS versions to the insecure SSL 3.0. Most browsers have now removed this chink in the armor and made it impossible to downgrade to SSL 3.0. The discovery that some TLS implementations are vulnerable relieves hackers of the need to force the browser to downgrade, making the attack slightly easier.
According to Qualsys, which runs the SSL Pulse project that monitors SSL encrypted sites from the Alexa top 1 million visited sites, about 10 percent of sites are vulnerable because they are using implementations of TLS with the padding vulnerability.
Should You Be Worried
Not overly. As I mentioned in my previous article on this subject: the attack is difficult to carry out. It’s certainly a bad thing that TLS is vulnerable in some implementations, and another vulnerability is the last thing the reputation of purportedly secure online services needs, but as vulnerabilities go, this one is not disastrous.
That said, it is a vulnerability and it can be used to circumvent HTTPS encryption in some scenarios as Qualsys Director Of Application Security Research, Ivan Ristic says:
If you’re worried about whether services you use are vulnerable, Qualsys provides a server test that can be used to scan domains for SSL vulnerabilities, including POODLE.
As ever, the way to ensure that your sites are not vulnerable is to install the patches that will probably have already been released by the time this article is published.