The Poodle Security Threat: What You Need to Know
The latest security threat to come to light is POODLE. It’s a cute acronym for Padding Oracle on Downgraded Legacy Encryption. POODLE exploits an old, somewhat obscure, Internet protocol — SSLv3 — that has been largely replaced by TLS (Transport Layer Security). This is a client-side issue only, not server-side, and the hacker has to be on the same network as you. Therefore, you have very little risk of a POODLE attack.
WHAT IS THE POODLE SECURITY THREAT?
POODLE was discovered in September 2014 by three Google researchers in an old version of the SSL protocol. The SSL Man In The Middle Information Disclosure Vulnerability (CVE-2014-3566) affects version 3.0 of SSL, which was introduced in 1996, and has since been superseded by several newer versions of TLS. However, the vulnerability may still be exploited because SSLv3 continues to be supported by nearly every Web browser and a large number of Web servers.
POODLE could allow attackers to hijack and decrypt the HTTP session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password. But unlike some other recent threats, they could only take over your client session, not gain full access to your server.
SSL and TLS are both secure protocols for Internet communication that work by encrypting traffic between two computers. Most TLS clients will automatically downgrade the protocol they use to SSLv3 if they have to work with legacy servers. The vulnerability lies in the fact that an attacker can potentially interfere with the handshake process that verifies which protocol the server can use and force it to use SSLv3, even if a newer protocol is supported.
HOW IS POODLE BEING MITIGATED?
Google’s security team has recommended that systems administrators simply turn off support for SSLv3 on web servers, but this means that some users trying to connect securely to a web server using SSLv3 will have trouble. Google’s recommendation is to support TLS_FALLBACK_SCSV. This mechanism solves the problems caused by retrying failed connections, thus preventing attackers from inducing browsers to use SSLv3.
WHAT HAS INTOUCH DONE TO MITIGATE POODLE’S IMPACT ON OUR CLIENTS’ WEBSITES?
Since this is a client-side issue, there is nothing for us to do with our production servers. That being said, Intouch will continue to monitor learnings and activity related to the POODLE vulnerability and make any necessary adjustments if appropriate.
WHAT DOES POODLE MEAN TO PHARMA/HEALTHCARE?
Not much, as this is a very low-risk threat. Even in a worst-case scenario, an attacker could get only to a single individual’s information, not your entire database. In addition, the attacker would need to have access to the network between the client and server, making it very unlikely that patient information is at risk.
WHAT SHOULD OUR CLIENTS DO?
Intouch recommends that our clients use new versions of Web browser clients (certainly newer than Internet Explorer v6).
GENERAL INFORMATION ON POODLE
You can find the white paper written by the Google engineers at https://www.openssl.org/~bodo/ssl-poodle.pdf.