More on the POODLE security virus
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
December 15, 2014
The latest news on a high-profile security hole potentially exposes British banks' website traffic to potential eavesdropping.
The POODLE (Padding Oracle On Downgraded Legacy Encryption) security virus first surfaced in October of this year and was believed to affect only the obsolete but still widely used Secure Sockets Layer (SSL) 3.0 cryptographic algorithm.
Researchers revealed last week that the POODLE security flaw also affects versions of TLS (Transport Layer Security).
"The impact of this issue is similar to that of POODLE, with the attack being slightly easier to execute-- no need to downgrade modern clients down to SSL 3 first, TLS 1.2 will do just fine," explained Ivan Ristic, director of engineering at security firm Qualys.
"A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical," he warned.
Qualys has developed a free scanning tool designed to allow website owners a means to easily check their website for cryptographic issues, including, but not limited to, POODLE.
A review of British banking websites using Qualys’s SSL/TLS scanning tool shows that many are vulnerable to POODLE, including RBS (max: TLSv1, min: SSLv3); OneAccount (max: TLSv1, min: SSLv3); HSBC (max: TLSv1, min: SSLv3); Halifax (max: TLSv1, min: SSLv3); NatWest (max: TLSv1, min: SSLv3); Cooperative Bank (only TLSv1); Barclays (max: TLSv1.2, min: SSLv3); Tesco Bank (max: TLSv1, min: SSLv3) and Santander (max: TLSv1.2, min: TLSv1).
"Security at nearly all major British banks is pretty abysmal," said security consultant Paul Moore.
"TLSv1 alone is fifteen years old and of the above, only Santander supports the strongest protocols. That gives you some insight into how antiquated our banking system really is," he added.
Furthermore, Qualys estimates that around ten percent of web servers are vulnerable to the POODLE attack against TLS.
A hostile attacker might be able to exploit the POODLE security hole to unwrap the contentions of an encrypted transmission, leaving passwords, login cookies and other sensitive data open to potential wiretapping.
Disabling SSL 3.0 support in web applications is recommended since there's no patch as such, as an advisory by U.S. CERT explains.
The same internet security researchers who unearthed the Poodle vulnerability have however been able to develop a fix for TLS-based systems.
Source: Qualys Security.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!