POODLE Bites Again
Looks like the Poodle vulnerability did not vanish. On December 8th, 2014 researchers discovered that POODLE attack can be successful on TLS connections even if the SSLv3 protocol is disabled.
WOW, that's another major hit in the secure communications.
So, we are starting all over again with the same old attack that we thought we are done with.
Some implementations of secure connections use SSLv3 decoding routines for TLS connections, which allows POODLE attacks to succeed even without SSLv3 and even of you are using TLS 1.2
Who should care?
Website owners and system administrators are advised to check their websites again.
If you are using any of F5 or A10 network devices, then you are definitely vulnerable to the attack, and need to check with your vendor for new patches.
Does that mean if i don't use any of these devices / products for my website i am safe?
Not necessarily, we all thought that disabling SSLv3 will make us safe from the attack, but we were wrong.
There may be other products or devices are using a similar implementation like F5, and A10, but we still don't know about them.
Am I affected?
According to the SSL Pulse project from Qualys; which monitor the top 1 million sites based on Alexa ranking, 10% of the sites are vulnerable to POODLE attack through TLS.
That's a lot of sites, about 15k famous site are vulnerable.
So, if we were logged in to any of these sites and we did visit a malicious site, the attacker can successfully initiate an attack to any of these sites, and capture the communication with the site in plain text.