Google has published details regarding the latest vulnerability within SSL called Poodle – this time targeting SSL 3.0. The newly found exploit allows one to steal secure cookies and other data via an SSL 3.0 connection. Granted SSL 3.0 is well over 15 years old now, and has since been superseded with the more secure TLS 1.0, TLS 1.1 or TLS 1.2 – the technology is still used as a fallback when connection problems occur as it helps maintain backward compatibility.
Google’s response to the flaw is to scrub SSL 3.0 support from its flagship Chrome browser. Websites and other browsers are also expected to end support for SSL v3 as it’s now considered insecure by design, and instead enforce the use of TLS for HTTPS connections.
Google also recommends browsers and web servers use TLS_FALLBACK_SCSV, the Transport Layer Security Signalling Cipher Suite Value that blocks protocol downgrades.
Doing so will be more effective than simply killing off SSL 3.0 support: that’s because using this magic value should prevent all future downgrade attacks. Chrome and Google’s web servers already support TLS_FALLBACK_SCSV, we’re told.
Google’s security advisory includes advice for system admins looking to further ensure the security of their servers.