[cabfpub] SSLv3 - Poodle Attack
Ben Wilson
ben.wilson at digicert.com
Tue Oct 14 23:28:22 UTC 2014
Since I hinted at it earlier today, FWIW here is the news -
https://www.openssl.org/~bodo/ssl-poodle.pdf
Poodle stands for "Padding Oracle On Downgraded Legacy Encryption".
CVE-2014-3566 has been reserved for this protocol vulnerability (no
additional information is available yet at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566).
The attack works by interfering with the establishment of a TLS connection.
A client will quickly downgrade to SSLv3, which uses either the RC4 stream
cipher (subject to information leakage) or a block cipher in CBC mode
(subject to information leakage via the Poodle attack).
As I understand the explanation, the man-in-the-middle decrypts the block
ciphers by first padding a block with known values and then chipping away
until the secure cookie (or other authentication data) is fully decrypted.
If disabling SSLv3 is not feasible due to legacy system issues, the paper
suggests a few mitigations, such as using TLS_FALLBACK_SCSV to prevent a
downgrade in the first place.
"This use of TLS_FALLBACK_SCSV will ensure that SSL 3.0 is used only when a
legacy implementation is involved: attackers can no longer force a protocol
downgrade. (Attacks remain possible if both parties allow SSL 3.0 but one
of them is not updated to support TLS_FALLBACK_SCSV, provided that the
client implements a downgrade dance down to SSL 3.0.) "
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141014/2295cd7b/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4998 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141014/2295cd7b/attachment.p7s>
More information about the Public
mailing list