Yesterday, Google published the details of an SSL 3.0 design vulnerability that renders SSL 3.0 completely insecure and useless. SSL 3.0 is over fifteen years old and up until today, was still supported by most browsers. When attempting to communicate with a website, usually a browser will use the latest technology and connect to the HTTPS servers; however, failed connections are tried on older, clearly deprecated, protocols such as SSL 3.0. As such, attackers can force targets to disconnect and then reconnect using SSL 3.0, thus exposing their current session to take-over.
Also read: OpenSSL Heartbleed Security Bug “Massive”
All in all, the internet security community has concluded that the POODLE bug is nowhere near as damaging as the HeartBleed or ShellShock bugs. However, this particular Internet-wide bug is especially threatening to Bitcoin exchanges. One proactive Bitcoin exchange that recognized this immediately, BitMEX, has emailed all of its users to inform them that BitMEX has disabled SSL 3.0 on its servers and TestNet. Furthermore, they advised that all users should go ahead and manually disable SSL 3.0 in their browsers. As most Bitcoin stalwarts will tell you, two-factor authentication is also a good way to secure funds from potential session hi-jacking attacks, such as this.
POODLE Easily Fixed
Google has released a TLS_FALLBACK_SCSV fix that has been used since February, and as such shouldn’t cause any further bugs as a fix. In addition, Google is disabling the SSL 3.0 fallback capability in its popular browser, Google Chrome. Google admitted: “This change will break some sites and those sites will need to be updated quickly. In the coming months, we hope to remove support for SSL 3.0 completely from our client products.” Firefox is also getting rid of SSL 3.0, and within a few months, the entire deprecated protocol will have be a distant memory to internet users. With each passing hack, exploit, vulnerability that is found in the worlds’ centralized systems, Bitcoin and Blockchain technology becomes stronger. Hopefully, a POODLE exploit is not behind the security and bankruptcy drama over at Mintpal and Moolah.
What are your thoughts on POODLE? Comment below.
Images from Shutterstock.