Poodle vulnerability: Lab issue viewer browser notice

On Wednesday October 15th, and as a result of the Padding Oracle On Downgraded Legacy Encryption (Poodle) vulnerability reported by Google, the Lab issued a Grid Status update, warning those who use the viewer’s built-in browser may not be able to access certain websites.

The update from the Lab reads in part:

[Posted 12:15 PM PDT, 15 October 2014] Residents may be unable to open certain websites using the viewers internal browser. This is due to a security related change made by many web sites in response to a vulnerability announced today by Google.  This issue will affect Media-on-a-Prim for those sites, and will block initial setup of some SLShare accounts.

You may be able to access those sites by setting your viewer to use an external browser: go to Me/Preferences/Setup and check “Use my browser (Chrome, Firefox, IE) for all links.

We are aware of the issue and working on a fix.

Unlike recent security vulnerabilities, like Heartbleed, Poodle targets the client-end of things. It does this by exploiting a flaw in the design of SSL 3.0 protocol, which despite being 18 years old, is used as a fallback security protocol within most browsers, including Chrome, Firefox and Internet Explorer. However, there are a couple of caveats to its effectiveness: for the attack to work, the attacker must be on the same wireless network as you (or in the path of your communications), and your client must be running JavaScript.

Essentially what happens is that the attacker initiates a series of connection failures between the browser and website, which in turn trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. The attacker then uses the vulnerability within SSL 3.0 to grab sensitive data.

Because of its nature, and the fact that certain requirements must be met (as noted above) in order for it to work, Poodle is regarded as less far-reaching than something like Heartbleed. However, it has prompted Google to issue an advisory that websites disable SSL 3.0 support or that tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) are used which prevent the “downgrade dance” attacks on services that can trigger the vulnerability. Google have also stated they plan to scrub SSL 3.0 support from its Chrome browser, and Mozilla are going to do the same with Firefox.

Related Links