<html>

  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <a class="moz-txt-link-freetext" href="https://www.openssl.org/~bodo/ssl-poodle.pdf">https://www.openssl.org/~bodo/ssl-poodle.pdf</a><br>

    <meta http-equiv="Content-Type" content="text/html;

      charset=ISO-8859-1">

    <div class="page" title="Page 1">

      <div class="section" style="background-color: rgb(100.000000%,

        100.000000%, 100.000000%)">

        <div class="layoutArea">

          <div class="column">

            <p><span style="font-size: 11.000000pt; font-family:

                'ArialMT'">SSL 3.0 [RFC6101] is an obsolete and insecure

                protocol. While for most practical

                purposes it has been replaced by its successors TLS 1.0

                [RFC2246], TLS 1.1 [RFC4346],

                and TLS 1.2 [RFC5246], many TLS implementations remain

                backwardscompatible with

                SSL 3.0 to interoperate with legacy systems in the

                interest of a smooth user experience.

                The protocol handshake provides for authenticated

                version negotiation, so normally the

                latest protocol version common to the client and the

                server will be used.

              </span></p>

            <p><span style="font-size: 11.000000pt; font-family:

                'ArialMT'">However, even if a client and server both

                support a version of TLS, the security level

                offered by SSL 3.0 is still relevant since many clients

                implement a protocol downgrade

                dance to work around serverside interoperability bugs.

                In this Security Advisory, we

                discuss how attackers can exploit the downgrade dance

                and break the cryptographic

                security of SSL 3.0. Our POODLE attack (Padding Oracle

                On Downgraded Legacy

                Encryption) will allow them, for example, to steal

                “secure” HTTP cookies (or other bearer

                tokens such as HTTP Authorization header contents).

              </span></p>

            <p><span style="font-size: 11.000000pt; font-family:

                'ArialMT'">We then give recommendations for both clients

                and servers on how to counter the attack:

                if disabling SSL 3.0 entirely is not acceptable out of

                interoperability concerns, TLS

                implementations should make use of TLS_FALLBACK_SCSV.

              </span></p>

            <p><span style="font-size: 11.000000pt; font-family:

                'ArialMT'; color: rgb(6.670000%, 33.330000%,

                80.000000%)">CVE20143566 </span><span

                style="font-size: 11.000000pt; font-family: 'ArialMT'">has

                been allocated for this protocol vulnerability.

              </span></p>

          </div>

        </div>

      </div>

    </div>

    <title></title>

    <br>

<a class="moz-txt-link-freetext" href="http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html">http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html</a><br>

    <br>

    <br>

  </body>

</html>