Skip to content

Home Special Alerts SSL 3.0 Critical Vulnerability
SSL 3.0 Critical Vulnerability
Wednesday, 15 October 2014 17:31

Description:

As of the 15th October 2014, Macau Computer Emergency Response Team (MOCERT) has been made aware that through a server supporting SSL3.0, a techniques exists to negotiate the encryption to SSL3.0 and then take advantage of its weakness to extract session keys. This vulnerability has been found by Google and is named “Poodle”. This advisory is issued to urge servers to deprecate the use of SSL3.0 as successor techniques of TLS1.0 [RFC2246], TLS1.1 [RFC4346], and, TLS1.2 [5246] do not suffer from this vulnerability.

Vulnerability:

The enabling of SSL3.0 in the set of stronger technique, is prone for an attacker to select the SSL3.0 as the encryption of choice and then exploiting the weakness in SSL3.0 to obtain session keys.

Impact:

If the exploit is successful then session keys are then available to a man-in-the-middle, to then decrypt the encrypted traffic.

Systems Affected:

All service that enable SSL3.0

Patches:

It is recommended disable SSL3.0 from the set of encryption techniques available of TLS1.0, TLS1.1, and TLS1.2.

Links:

Google Blog

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

Google Advisory
https://www.openssl.org/~bodo/ssl-poodle.pdf

Daniel Fox Franke Blog
https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html

 
[YOUR IP: 3.83.32.171: 49714] ...   [YOUR BROWSER: CCBot/2.0 (https://commoncrawl.org/faq/)] ...