Public Wi-Fi users, beware of Poodle

Computer users may want to hold off e-banking or even checking their e-mail over public Wi-Fi networks until Web browser makers fix a newly discovered flaw. -- PHOTO: ST FILE
Computer users may want to hold off e-banking or even checking their e-mail over public Wi-Fi networks until Web browser makers fix a newly discovered flaw. -- PHOTO: ST FILE

Don't make sensitive transactions until browser flaw fixed, say experts

Computer users may want to hold off e-banking or even checking their e-mail over public Wi-Fi networks until Web browser makers fix a newly discovered flaw.

Known as Poodle, which stands for Padding Oracle on Downgraded Legacy Encryption, the bug allows Web sessions and transactions to be hijacked without even needing victims' passwords. It exploits an outdated encryption protocol - Secure Sockets Layer version 3 (SSLv3) - which, ironically, is meant to secure Web links.

And SSLv3 is supported by nearly all the Web browsers that are in use today: Google Chrome, Mozilla Firefox and Microsoft Internet Explorer (IE).

The bug was discovered by three Google security researchers, who published a paper about it on Thursday.

While the potential damage is severe, security experts also said that the exploits are limited to determined miscreants on the same network as their victims.

For instance, hackers have to be using the same Starbucks Wi-Fi network as their victims. An attack cannot be conducted remotely from, say, Russia.

"Still, users should avoid making sensitive transactions over public Wi-Fi networks," said Mr Matthias Yeo, Asia-Pacific chief technology officer for security systems maker Blue Coat Systems.

This is at least until browser makers have disabled support for SSLv3 with new version releases.

Mozilla reportedly said it would ditch the insecure SSLv3 from a new version of Firefox slated for release on Nov 25.

Google started to disable SSLv3 from its Chrome browser in its testing labs, but did not say when it would release a new version. Microsoft also did not say when it would disable the protocol from IE 6. But its IE 7 browser allows users to turn off the SSLv3 function.

The Singapore Computer Emergency Response Team (SingCert) issued an alert on its website on Thursday, warning users to update their browsers to the latest versions once they are available.

Public Wi-Fi users are eagerly waiting for the new releases. Said events project consultant Roy Nahar, 34: "I won't use my laptop for sensitive transactions at cafes for the time being."

Meanwhile, marketing manager Aaron Koh, 38, said he is not too worried. "I seldom use public Wi-Fi for online banking. Only to check my e-mail."

itham@sph.com.sg