Google calmly guns-down POODLE in broad daylight
06 November 2014
Troublesome mutt culled to prevent website vulnerabilities
POODLE ("Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle website attack that exploits the graceful degradation of website security to 256-bit SSL 3.0 in certain circumstances.
Google's Bodo Möller, Thai Duong and Krzysztof Kotowicz disclosed the vulnerability in September 2014. It now plans to remove SSLv3 support from Chrome with Update 40. When it comes to POODLEs and website design, it would appear this hound's days are numbered.
"The update is that we're killing it" chirped Google security engineer Adam Langley.
Mozilla will disable SSL 3.0 in Firefox 34 - released November 2014 - and Microsoft also plans to disable it in all products by default. The Redmond blimp has released a "Fix it" for those keen to disable it in IE immediately.
POODLE is an example of a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability. Sitting alongside progressive enhancement, graceful degradation represents a core tenet of good responsive website design. Maybe next time the backroom tech boys won't be let off the leash.