[Nottingham] Oodles of poodles make your noodle go cock-a-doodle

Jason Irwin jasonirwin73 at gmail.com
Wed Oct 15 09:39:31 UTC 2014


On 15/10/14 10:29, Michael Simms wrote:
> However, IF they have access to your data stream, they can just rewrite
> the first packet in the SSL Client Hello to report that the client is
> SSLV3 anyway, and the server will automatically downgrade to SSLV3 to
> match. 
Unless one disables downgrade from TLS server-side.

> When the server responds with its Server Hello as SSLV3, then the
> client will then think the server is only capable of it, and will also
> downgrade to match.
Unless your browser has been told to not support SSLv3 (standard in FF
these days, I think IE still uses it by default).

> This has been known about forever, it's part of the protocol, and
> required for backwards compatibility, but the requirement of a man in
> the middle means it's still pretty unlikely.
Unless a new-and-improved FireSheep does the rounds. Sit in a
cafe...sniffy-sniffy, cracky-cracky.

They do state it's not on the same level as Heartbleed/Shellshock and
it's trivial for an end-user to protect themselves.
If they know that they need to....

-- 
╔═════════════╦══════════════════════════════════════════╗
║ Jason Irwin ║ OpenPGP (GPG/PGP) Public Key: 0xD0C592B1 ║
║             ║ Import from hkp://pgp.mit.edu            ║
╚═════════════╩══════════════════════════════════════════╝



More information about the Nottingham mailing list