How to prevent SSLv3/Poodle attack?
Geoff Winkless
cyrus at geoff.dj
Thu Oct 16 06:51:52 EDT 2014
On 16 October 2014 11:14, Sven Schwedas <sven.schwedas at tao.at> wrote:
> On 2014-10-15 18:20, Geoff Winkless wrote:
> > Well the only thing new about POODLE versus previous known
> > vulnerabilities is the way to manipulate the known vulnerability to gain
> > the session cookie, which you can then re-use to log on to the site for
> > yourself without needing to authenticate.
>
> I think the more important new concept is that arbitrary sessions can be
> downgraded to use a known vulnerable cipher/protocol version, even if
> more secure are available and servers/clients use cipher suite pinning
> and all the other tricks we came up with to mitigate BEAST et. al.
>
Ahhh. Thanks, I figured I must have missed the point :)
Although it isn't exactly news - referenced from the article:
http://jbp.io/2013/07/07/tls-downgrade/
Geoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20141016/bb580020/attachment-0001.html
More information about the Info-cyrus
mailing list