POODLE Bites Again: 10% of all Websites Vulnerable to Man-in-the-Middle Attack

by Istvan Fekete on December 9, 2014

In case you thought that your data is now safe, here is something to remind you to stay continuously on guard. Some of the world’s leading websites, such as the ones operated by Bank of America, VMware, and the US Department of Veteran’s Affairs are vulnerable to simple attacks bypassing the transport layer security (TLS) encryption that is supposed to protect you from eavesdroppers and spoofers, reports Ars Technica.

You may recall that roughly two months ago security researchers uncovered a so-called POODLE attack against Secure Sockets Layer (SSL), which has an encryption protocol similar to TLS. POODLE stands for Padding Oracle On Downgraded Legacy Encryption, and allows attackers monitoring Wi-Fi hotspots and other unsecured Internet connections to decrypt HTTPS traffic encrypted by the ancient SSL version 3.

At the time, browser makers eliminated the vulnerability by dumping the use of SSL v3.

More recently, a variation of the same POODLE attack has surfaced targeting the widely used implementations of TLS. To verify the validity of the above claim, security firm Qualys looked into the matter and, after numerous tests, has found that some of the Internet’s top sites are vulnerable to the POODLE attack.

“The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute—no need to downgrade modern clients down to SSL 3 first, TLS 1.2 will do just fine,” Ivan Ristic, Qualys’s director of application security research, wrote in a blog post titled POODLE bites TLS. “The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack. A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical.”

At this time, load balancers and similar devices sold by F5 and A10 have been identified as vulnerable. F5 issued a support document pointing to affected products and how they can be patched, while A10 is silent as of writing this article.

Ristic says that about 10% of websites are vulnerable to the new TLS POODLE attack, meaning these sites are vulnerable to man-in-the-middle attacks.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: