View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 9, 2014

Poodle bug bites back on TLS

Transport Layer Security connections on web are not immune from interception.

By Jimmy Nicholls

The Poodle bug is set to make a comeback after researchers discovered it affecting some implementations of the Transport Layer Security (TLS) protocol.

The flaw allows hackers to listen to conversations between web client and server because its lacks a requirement for cryptographic padding, which adds to data to make it less susceptible to encryption. The bug was last found on the third version of the Security Sockets Layer (SSL) two months ago.

"The impact of this problem is similar to that of Poodle, with the attack being slightly easier to execute," said Ivan Ristic, director of engineering at the security company Qualys.

"The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack. A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical."

He estimated that as much as 10% of the web could be impacted by the bug, making it the most significant threat to web security since the Heartbleed OpenSSL flaw allowed similar interception of data.

Adam Langley, a security engineer at Google, reported that "a number of major sites" were affected, and that at least two network vendors were having problems with the bug, one being F5 Networks and the other being A10 Networks.

"I’m not completely sure that I’ve found every affected vendor but, now that this issue is public, any other affected products should quickly come to light," he added.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.