[Cryptography] SSL bug: This POODLE Bites: Exploiting The SSL 3.0 Fallback

ianG iang at iang.org
Tue Oct 14 20:03:02 EDT 2014


SSL 3.0 [RFC6101] is an obsolete and insecure protocol. While for most
practical purposes it has been replaced by its successors TLS 1.0
[RFC2246], TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], many TLS
implementations remain backwards­compatible with SSL 3.0 to interoperate
with legacy systems in the interest of a smooth user experience. The
protocol handshake provides for authenticated version negotiation, so
normally the latest protocol version common to the client and the server
will be used.

However, even if a client and server both support a version of TLS, the
security level offered by SSL 3.0 is still relevant since many clients
implement a protocol downgrade dance to work around server­side
interoperability bugs. In this Security Advisory, we discuss how
attackers can exploit the downgrade dance and break the cryptographic
security of SSL 3.0. Our POODLE attack (Padding Oracle On Downgraded
Legacy Encryption) will allow them, for example, to steal "secure" HTTP
cookies (or other bearer tokens such as HTTP Authorization header

We then give recommendations for both clients and servers on how to
counter the attack: if disabling SSL 3.0 entirely is not acceptable out
of interoperability concerns, TLS implementations should make use of

CVE­2014­3566 has been allocated for this protocol vulnerability.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141015/6d199d42/attachment.html>

More information about the cryptography mailing list