<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><span style="font-family:arial">On 16 October 2014 11:14, Sven Schwedas </span><span dir="ltr" style="font-family:arial"><<a href="mailto:sven.schwedas@tao.at" target="_blank">sven.schwedas@tao.at</a>></span><span style="font-family:arial"> wrote:</span><br></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On 2014-10-15 18:20, Geoff Winkless wrote:<br>
> Well the only thing new about POODLE versus previous known<br>
> vulnerabilities is the way to manipulate the known vulnerability to gain<br>
> the session cookie, which you can then re-use to log on to the site for<br>
> yourself without needing to authenticate.<br>
<br>
</span>I think the more important new concept is that arbitrary sessions can be<br>
downgraded to use a known vulnerable cipher/protocol version, even if<br>
more secure are available and servers/clients use cipher suite pinning<br>
and all the other tricks we came up with to mitigate BEAST et. al.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;display:inline">Ahhh. Thanks, I figured I must have missed the point :)</div></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;display:inline">Although it isn't exactly news - referenced from the article:</div></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;display:inline"><br></div></div><div><div class="gmail_default" style="display:inline"><font face="verdana, sans-serif"><a href="http://jbp.io/2013/07/07/tls-downgrade/">http://jbp.io/2013/07/07/tls-downgrade/</a></font><br></div></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;display:inline">Geoff</div> </div></div></div></div>