Poodle bug less bite than Heartbleed, say experts

A poodle Image copyright Science Photo Library
Image caption Poodle bug may not bite as hard as Heartbleed or Shellshock

Google researchers have uncovered a bug in web-encryption technology that could allow hackers to take over email, banking and other online accounts.

Dubbed Poodle, the threat is said to be less severe than Heartbleed, which sent the security industry into panic earlier this year.

The bug exists in old software that is still used by web browsers and servers.

Its discovery showed that internet infrastructure needs an overhaul, said experts.

"If Heartbleed and Shellshock were a 10, this is about a five," said Alan Woodward, a security researcher from the University of Surrey.

Details about Poodle - which stands for Padding Oracle On Downgraded Legacy Encryption - were issued in a security advisory compiled by three Google engineers, Bodo Moller, Thai Duong and Krzysztof Kotowicz.

The bug is contained within an 18-year-old encryption standard known as SSL 3.0, which has generally been superseded by its successor TLS (Transport Layer Security).

Prof Woodward estimates that SSL 3.0 is used in about 1% of web traffic.

The bug could hit people using old browsers and servers that still use the protocol.

The bug is not easy to exploit and would need an attacker to control the internet connection between the browser and the server, a so-called man-in-the-middle attack. This could be achieved for example if he or she were in range of an unencrypted wi-fi access point.

What is concerning security experts is the fact that hackers could force an internet connection to downgrade to SSL 3.0.

If a connection does fall back to the older protocol, the bug makes it possible to steal cookies, the small data files that enable people to log in to a particular service - giving the hacker access to a range of services that use the cookies.

Generally, though, the bug is generating far less panic in security experts.

"First, this is not another Heartbleed. It's bad, but it's not going to destroy the internet," wrote Matthew Green, a professor at John Hopkins University's department of computer science, in his blog.

Microsoft issued an advisory, suggesting customers disable SSL 3.0 on Windows for servers and PCs. Mozilla plans to disable SSL 3.0 in the next version of its Firefox browser and Google said it too would eventually remove support for the software.

"It is not up to consumers to turn off SSL 3.0, this is a job for administrators of systems. For people at home the advice is to use the latest browsers," explained Prof Woodward.

The bug is the third major bug discovered in the past few months.

Shellshock, a flaw found in a software component known as Bash, which is part of many Linux systems as well as Apple's Mac operating system, could have hit at least 500 million machines.

Heartbleed, another flaw in encryption technology, was thought to have affected at least 500,000 machines.

The lesson to be learned from the Poodle bug is a need to update "our ageing internet infrastructure," said Mr Green.

"Hopefully this will be the straw that breaks the camel's back and gets us to abandon obsolete protocols like SSLv3," he wrote.

More on this story