Tuesday, October 14, 2014

Dreaded SSLv3 bug no monster, only a POODLE [feedly]

Dreaded SSLv3 bug no monster, only a POODLE
// CSO Online

On Tuesday, Google's Bodo Möller, along with fellow researchers Thai Duong and Krzysztof Kotowicz, disclosed the existence of a vulnerability in SSLv3, which allows the plaintext of secure connections to be calculated by an attacker on the network.

While the issue generated some hype late Monday, and most of the day on Tuesday, it turns out that the vulnerability is something that most researchers have speculated / known about for some time.

According to the published advisory, the issue was discovered last month.

Called the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, the problem centers on the fact that, in order to work with legacy servers, most TLS clients will downgrade each time a secure connection attempt (handshake) fails.

To read this article in full or to leave a comment, please click here


Shared via my feedly reader

Sent from my iPhone

No comments:

Post a Comment