On Wednesday October 15th, and as a result of the Padding Oracle On Downgraded Legacy Encryption (Poodle) vulnerability reported by Google, the Lab issued a Grid Status update, warning those who use the viewer’s built-in browser may not be able to access certain websites.
The update from the Lab reads in part:
[Posted 12:15 PM PDT, 15 October 2014] Residents may be unable to open certain websites using the viewers internal browser. This is due to a security related change made by many web sites in response to a vulnerability announced today by Google. This issue will affect Media-on-a-Prim for those sites, and will block initial setup of some SLShare accounts.
You may be able to access those sites by setting your viewer to use an external browser: go to Me/Preferences/Setup and check “Use my browser (Chrome, Firefox, IE) for all links.
We are aware of the issue and working on a fix.
Essentially what happens is that the attacker initiates a series of connection failures between the browser and website, which in turn trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. The attacker then uses the vulnerability within SSL 3.0 to grab sensitive data.
Because of its nature, and the fact that certain requirements must be met (as noted above) in order for it to work, Poodle is regarded as less far-reaching than something like Heartbleed. However, it has prompted Google to issue an advisory that websites disable SSL 3.0 support or that tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) are used which prevent the “downgrade dance” attacks on services that can trigger the vulnerability. Google have also stated they plan to scrub SSL 3.0 support from its Chrome browser, and Mozilla are going to do the same with Firefox.
- Viewer Issues with Loading Webpages – Linden Lab
- This POODLE bites: exploiting the SSL 3.0 fallback – Google
- POODLE Security Vulnerability Breaks SSLv3 Secure Browsing – James Lyne, Forbes
- A Web encryption vulnerability opens ‘encrypted’ data to hackers – Roberto Baldwin, TNW