Google researchers warned of yet another online security "vulnerability" Tuesday.
The vulnerability is to an attack called POODLE, which stands for Padding Oracle On Downloaded Legacy Encryption. POODLE, Google said in a blog post, is a "widespread" threat because it enables prowling hackers to steal your most private information.
The risk stems from SSL 3.0, or Secure Sockets Layer. That's the online security layer that protects data between two endpoints, usually your web browser and the web server to which you are connected.
Cryptographer and research professor Matthew Green of Johns Hopkins University wrote that POODLE allows hackers to control the Internet connection between your browser and server. By running code in your browser, hackers can decrypt authentication cookies for websites such as Google, Yahoo and even your online bank account.
Google said that while the security software is almost 15 years old, most modern web browsers still support it and in some cases even use it for backup.
"[B]rowsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue," developers said.
To mitigate the risk, researchers recommended preventing browsers from resorting to SSL 3.0 software after failed connection attempts. This mechanism also prevents browsers from downgrading to other previous versions of security software.
The company also said it hopes to disable support for SSL 3.0 from its products in the coming months.
Green said the obvious solution to the problem is to "find and kill" SSL 3.0 wherever it is. The problem with that approach, Green said, is many browsers and servers can't function without it, citing the growing problem of "aging Internet infrastructure."
"Hopefully this will be the straw that breaks the camel's back and gets us to abandon obsolete protocols like SSLv3," Green said.
This is the third online security threat this year; the "Heartbleed" bug took privacy experts and users by surprise in April. And just last month, experts called attention to the "Shellshock" security risk.
(H/T: PC World)
Follow Jon Street (@JonStreet) on Twitter
Front page image via Shutterstock