Another SSL Problem: More Data Security Issues & Two Recent Database Breaches in U.S. and Canada
Yet another SSL (secure sockets layer) problem (aka vulnerability) has been discovered in an older version of a protocol widely used on the Internet. This flaw was discovered by Google engineers but is Internet wide. The flaw has been named POODLE and follows other security issued with SSL named Heartbleed that was big news about six months ago.
From ZDNet:
Google’s Security Team revealed on Tuesday that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol has a major security flaw.
According to the team’s Bodo Möller: “This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.”
While SSL 3.0 has been succeeded by Transport Layer Security (TLS) 1.0, TLS 1.1, and TLS 1.2, many TLS implementations have continued to be backwards compatible with SSL 3.0 to work with legacy systems for a smoother user experience.
Alissa Walker at Gizmodo writes:
Should we freak out? Yes and no. This version of SSL is old—15 years old—and most sites don’t use it anymore. However, sites often use older versions as a backup which might trigger the vulnerability, and people who’d want to prey upon someone’s online security have ways to trick sites into using the vulnerable version.
From Reuters
Security experts said that hackers could steal browser “cookies” in “Poodle” attacks, potentially taking control of email, banking and social networking accounts. Even so, experts said the threat was not as serious as the two prior bugs.
Why Post About This?
In this case it’s more about the big picture of Internet security and privacy as it is about POODLE.
In other words, this is yet another example of why awareness, knowledge, and education (internally amongst professionals and externally with library users) of Internet security and privacy issues need to be a larger part of the library landscape.
Back in April at the CNI conference I suggested that the time has come for the library community to consider developing a set of best practices and guidelines and also to think about creating a security/privacy certification for both our own libraries and the data providers we work with.
Finally, while we often discuss privacy issues as they relate to data transmitted over the Internet it’s also easy to forget that security of the data we control also must be looked at. Here are two recent examples.
1. Employment Department data breach: more than 851,000 people could be at risk (via The Oregonian)
2. Personal info of 15,000 people accessed in B.C. government database breach (via The Globe and Mail/Canadian Press)
Other Recent Posts
See Also: Privacy: Now Everyone Knows It’s Easy to Permanently Save Images Shared via Snapchat (October 11, 2014)
See Also: New and Old: Serious Reader Privacy Concerns Both Inside and Outside the Library
Filed under: Data Files, Libraries, News, Patrons and Users
About Gary Price
Gary Price (gprice@gmail.com) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. He earned his MLIS degree from Wayne State University in Detroit. Price has won several awards including the SLA Innovations in Technology Award and Alumnus of the Year from the Wayne St. University Library and Information Science Program. From 2006-2009 he was Director of Online Information Services at Ask.com.