While it’s not causing Heartbleed-levels of panic — yet — this news is a little disconcerting: Google has discovered a vulnerability in an older version of SSL, which basically keeps everything we do on the web protected.
There’s a statement on Google’s security blog about the bug, which they’re calling POODLE:
Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.
Should we freak out? Yes and no. This version of SSL is old — 15 years old — and most sites don’t use it anymore. However, sites often use older versions as a backup which might trigger the vulnerability, and people who’d want to prey upon someone’s online security have ways to trick sites into using the vulnerable version.
Google has some tips on how to disable a fallback to 3.0 and if everyone would follow their guidelines it would mostly solve — or at least seriously mitigate — the problem. But like we found with Heartbleed, trying to get every website on the internet to change the way it does something is damn near impossible. [Google]