Yet another SSL (secure sockets layer) problem (aka vulnerability) has been discovered in an older version of a protocol widely used on the Internet. This flaw was discovered by Google engineers but is Internet wide. The flaw has been named POODLE and follows other security issued with SSL named Heartbleed that was big news about six months ago.
Google’s Security Team revealed on Tuesday that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol has a major security flaw.
According to the team’s Bodo Möller: “This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.”
While SSL 3.0 has been succeeded by Transport Layer Security (TLS) 1.0, TLS 1.1, and TLS 1.2, many TLS implementations have continued to be backwards compatible with SSL 3.0 to work with legacy systems for a smoother user experience.
Should we freak out? Yes and no. This version of SSL is old—15 years old—and most sites don’t use it anymore. However, sites often use older versions as a backup which might trigger the vulnerability, and people who’d want to prey upon someone’s online security have ways to trick sites into using the vulnerable version.
Security experts said that hackers could steal browser “cookies” in “Poodle” attacks, potentially taking control of email, banking and social networking accounts. Even so, experts said the threat was not as serious as the two prior bugs.
Why Post About This?
In this case it’s more about the big picture of Internet security and privacy as it is about POODLE.
In other words, this is yet another example of why awareness, knowledge, and education (internally amongst professionals and externally with library users) of Internet security and privacy issues need to be a larger part of the library landscape.
Back in April at the CNI conference I suggested that the time has come for the library community to consider developing a set of best practices and guidelines and also to think about creating a security/privacy certification for both our own libraries and the data providers we work with.
Finally, while we often discuss privacy issues as they relate to data transmitted over the Internet it’s also easy to forget that security of the data we control also must be looked at. Here are two recent examples.
Other Recent Posts