Mozilla will make Firefox 34 immune to POODLE, releases fix for older versions
Google yesterday disclosed a major security vulnerability it has found in the SSL 3.0 encryption protocol, that is still employed by many sites across the web, despite long being superseded. Dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), it allows attackers to steal private data, like cookies, and, possibly, use it to access user accounts on vulnerable sites. The search giant says its Chrome browser should be safe, but warns that others may be vulnerable.
Firefox is one of the vulnerable ones. To address this issue, Mozilla reveals that the upcoming version -- Firefox 34, to be exact -- will feature code which makes it immune to the POODLE attack. For those who use lesser versions of the open-source browser -- most users, basically -- the organization provides an optional fix.
Mozilla says that it is making Firefox 34 safe from POODLE by disabling SSL 3.0 by default. The code which does this is already baked into the Nightly channel, and will make its way to the Aurora and Beta channels also "in the next few weeks".
You may wonder why it is taking Mozilla so long to protect its users from POODLE. Well, the reason for the apparent delay is to give website administrators enough time to upgrade to a superior encryption protocol, like TLS, as to not break sensitive encrypted connections.
On top of disabling SSL 3.0, Mozilla says that there will be an extra security measure in Firefox 34, that would prevent future attacks that rely on insecure failback. Insecure failback is leveraged in POODLE to tell websites, that already support superior encryption protocols, to revert to communicating using the less secure SSL 3.0.
The negative impact that disabling SSL 3.0 in Firefox 34, or any other older iteration for that matter, will have is negligible, as far as the vast majority of users are concerned. According to research carried out by Mozilla and the University of Michigan, only a small fraction of the top million domains in Alexa rely on SSL 3.0.
The percentage that Mozilla mentions -- 0.42 -- translates to just 4,200 domains. Mozilla also says that SSL 3.0 is only used in 0.3 percent of encrypted connections. That, however, means "millions of transactions per day", according to the organization.
Needless to say, Mozilla recommends making sure that Firefox automatic update is enabled, so that users can update to Firefox 34 as soon as it is released, on November 25. In the meantime, the organization has developed an extension, called SSL Version Control (no restart is required after installing it), which users can install to disable SSL 3.0, as it sets the minimum encryption protocol version to TLS 1.0 (which has supersededed SSL 3.0).