cancel
Showing results for 
Search instead for 
Did you mean: 

SSL 3.0 Vulnerability Discovered

DaveyH
Pro
Posts: 1,289
Thanks: 176
Fixes: 7
Registered: 15-11-2012

SSL 3.0 Vulnerability Discovered

Quote
Today Google researchers announced (PDF link) that they have found a bug in the SSL 3.0 protocol. The exploit could be used to intercept critical data that’s supposed to be encrypted between clients and servers.
The exploit first allows attackers to initiate a “downgrade dance” that tells the client that the server doesn’t support the more secure TLS (Transport Layer Security) protocol and forces it to connect via SSL 3.0. From there a man-in-the-middle attack can decrypt secure HTTP cookies. Google calls this the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack...

http://thenextweb.com/google/2014/10/15/web-encryption-vulnerability-opens-encrypted-data-hackers/
10 REPLIES
Community Veteran
Posts: 19,099
Thanks: 434
Fixes: 21
Registered: 31-08-2007

Re: SSL 3.0 Vulnerability Discovered

Surely this should be given more visibility on a more suitable board. If we still had Broadband and Routers, I would have said there, but as we don't  Roll eyes    I'm not sure which board is most appropriate.  Perhaps the mods can decide?  Crazy
Moderator
Moderator
Posts: 17,249
Thanks: 904
Fixes: 104
Registered: 11-01-2008

Re: SSL 3.0 Vulnerability Discovered

it's neither broadband nor routers.. so it shouldn't be there Roll eyes
Will Moderate For Thanks
Community Veteran
Posts: 19,099
Thanks: 434
Fixes: 21
Registered: 31-08-2007

Re: SSL 3.0 Vulnerability Discovered

Well it could be broadband , but it could equally be dial-up, why haven't we got a board for that  Shocked
Plusnet Help Team
Plusnet Help Team
Posts: 17,636
Thanks: 619
Fixes: 159
Registered: 05-04-2007

Re: SSL 3.0 Vulnerability Discovered

@Anotherone, We get your point but this really isn't the thread to discuss the board split in. This thread is about a potential vulnerability in SSL 3.0, not broadband, not dial-up.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Help Team
Community Veteran
Posts: 19,099
Thanks: 434
Fixes: 21
Registered: 31-08-2007

Re: SSL 3.0 Vulnerability Discovered

Oh dear, some people sometimes need to see occasions when they should develop a sense of humour  Sad
And to be pedantic as SSL3.0 is used in both broadband and dial-up connections then a board covering either would be appropriate.
Although my initial remark was a touch tongue in cheek, this issue does need a bit more visibility.
Community Veteran
Posts: 6,824
Registered: 27-10-2012

Re: SSL 3.0 Vulnerability Discovered

Quote from: Anotherone
And to be pedantic as SSL3.0 is used in both broadband and dial-up connections then a board covering either would be appropriate.

The only plausible place this vulnerability can be used is in a web browser - it would require an attacker to inject his own data and intercepted the encrypted bytes. But the attack most likely requires the victim to be lured on to his network, so we're talking a fake WiFi access point etc. The attacker wants to gain access to decrypted session cookies of the victim.
The chances of this vulnerability affecting anyone is pretty remote, a fake bank website is much more likely to be an issue than this vulnerability.
Community Veteran
Posts: 19,099
Thanks: 434
Fixes: 21
Registered: 31-08-2007

Re: SSL 3.0 Vulnerability Discovered

So both Software boards as well then  Wink
DaveyH
Pro
Posts: 1,289
Thanks: 176
Fixes: 7
Registered: 15-11-2012

Re: SSL 3.0 Vulnerability Discovered

I posted it in the most appropriate board, since their isn't one for web.
But who cares what board its on. I should imagine anyone with an ounce of common sense goes to unread topics rather than trawling through the individual boards..
But most importantly, thanks for filling the thread with pointless posts just to be a pedantic arse and make a point...
Community Veteran
Posts: 19,099
Thanks: 434
Fixes: 21
Registered: 31-08-2007

Re: SSL 3.0 Vulnerability Discovered

Actually I resent your remarks, the "pointless" posts are at least keeping the thread at the top of the board and the underlying point in my initial response was quite serious. I've no doubt you posted where you thought was the most appropriate place and in the circumstances, I would probably have done the same. It was no criticism of you, I'm sorry if you took it that way, that was not intended, my bad phrasing.
FYI I rarely bother with Unread posts any more as I can't be on here 24/7 and there are far too many these days, I keep an eye on the boards that are important where I might have an input or carry posts I'm interested in. Chit-chat is a board I only look at now and again, or if the latest post when looking at the main Forum page catches my eye. Whilst there is nothing "wrong" with this thread being here,I still think the issue needs more prominence and would have hoped dvorak's response could have been more constructive.
kmilburn
Grafter
Posts: 902
Thanks: 2
Registered: 30-07-2007

Re: SSL 3.0 Vulnerability Discovered

Anywhoo,    back on topic...
One important point,  unlike other vulnerablilities recently disclosed.
[quote=http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/]This should be an academic curiosity because SSL 3.0 was deprecated very nearly 15 years ago.
...
If Heartbleed or Shellshock merited a 10, then this attack is only around a five
It's also indicating the more problems for the windows XP holdouts.
Quote
Websites that end support for SSL v3 will become incompatible with older browsers and OSes – particularly Internet Explorer 6 and Windows XP.