[Nottingham] Oodles of poodles make your noodle go cock-a-doodle
Michael Simms
lug at toomanysites.org
Wed Oct 15 09:29:35 UTC 2014
To be honest, this is pretty much a non-event in terms of an attack.
Sure, IF someone can cause a network disruption they can force a
renegotiation. They need access to your data stream to do it though.
However, IF they have access to your data stream, they can just rewrite
the first packet in the SSL Client Hello to report that the client is
SSLV3 anyway, and the server will automatically downgrade to SSLV3 to
match. When the server responds with its Server Hello as SSLV3, then the
client will then think the server is only capable of it, and will also
downgrade to match. Job done, equivalent attack completed, and with much
less hassle than the scenario painted by this attack.
This has been known about forever, it's part of the protocol, and
required for backwards compatibility, but the requirement of a man in
the middle means it's still pretty unlikely.
On 10/15/2014 09:48 AM, Jason Irwin wrote:>
http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/
>
> Long story short, browsers can be forced to downgrade to SSL3 and then
> packets sniffed, exploits performed.
>
> Quick solution: Drop support for SSL3.
>
More information about the Nottingham
mailing list