Jump to content

Invite Scene - #1 to Buy, Sell, Trade or Find Free Torrent Invites

#1 TorrentInvites Community. Buy, Sell, Trade or Find Free Torrent Invites for Every Private Torrent Trackers. HDB, BTN, AOM, DB9, PTP, RED, MTV, EXIGO, FL, IPT, TVBZ, AB, BIB, TIK, EMP, FSC, GGN, KG, MTTP, TL, TTG, 32P, AHD, CHD, CG, OPS, TT, WIHD, BHD, U2 etc.

LOOKING FOR HIGH QUALITY SEEDBOX? EVOSEEDBOX.COM PROVIDES YOU BLAZING FAST & HIGH END SEEDBOXES | STARTING AT $5.00/MONTH!

POODLE SSL 3.0 Attack Exploits Widely-used Web Encryption Standard


Crypto

Recommended Posts

 
POODLE-SSL-exploit-Encryption.jpg
Another Heartbleed-like vulnerability has been discovered in the decade old but still widely used Secure Sockets Layer (SSL) 3.0 cryptographic protocol that could allow an attacker to decrypt contents of encrypted connections to websites.
 
Google's Security Team revealed on Tuesday that the most widely used web encryption standard SSL 3.0has a major security vulnerability that could be exploited to steal sensitive data. The flaw affects any product that follows the Secure layer version 3, including Chrome, Firefox, and Internet Explorer.
 
Researchers dubbed the attack as "POODLE," stands for Padding Oracle On Downgraded Legacy Encryption, which allows an attacker to perform a man-in-the-middle attack in order to decrypt HTTP cookies. The POODLE attack can force a connection to “fallback†to SSL 3.0, where it is then possible to steal cookies, which are meant to store personal data, website preferences or even passwords.
 
 

Three Google security engineers - Bodo Möller, along with fellow researchers Thai Duong and Krzysztof Kotowicz - have uncovered this new security hole in widely used SSL 3.0 that makes the 15-year-old protocol nearly impossible to use safely.

"

This vulnerability allows the plaintext of secure connections to be calculated by a network attacker

," Bodo Möller, of the Google Security Team, wrote in a 

blog post

 today. "

I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers)

."

POODLE (PDFis really a critical threat because it is used by both websites and Web browsers and will remain critical as long as SSL 3.0 is supported. Therefore, both websites and Web browsers must be reconfigured to prevent using SSL 3.0.
 
While SSL 3.0 is not anymore the most advanced form of Web encryption standard in use, Möller explained Web browsers and secure HTTP servers still need it in case they encounter errors in Transport Layer Security (TLS), SSL's more modern, less vulnerable layer of security.

"

If a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serve ­side interoperability bugs.

"

To protect against the POODLE attack, there is nothing an end user can do, same like with the case ofHeartbleed and Shellshock. But, companies across the world will be releasing patches to their servers and embedded devices disallowing use of SSl 3.0.
 
Google discovered the vulnerability a month ago in September, just a few months after the Heartbleed incident brought SSL into the spotlight, and before publicly disclosing the details on the new issue today, the search engine giant alerted software and hardware vendors.
 
Until the issue is fixed, the trio recommended disabling SSL 3.0 on servers and in clients. For end users, if your browser supports SSL 3.0, you are advised to disable its support or better use tools that supportTLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value), it prevents downgrade attacks.
 
POODLE is a vulnerability lying within the codes of SSL, which is why it affects the widely used browsers. In response to the issue, Google has announced that it is scrubbing SSL 3.0 support from Chrome browser and will soon remove SSL 3.0 support completely from all its products in the coming months.

Mozilla on its part has also announced that it plans to turn off SSL 3.0 in Firefox. "SSLv3 will be disabled by default in Firefox 34," which the company will release next month. The code to disable the protocol will be available tonight via Nightly.

 
           Add Rep and Leave a feedback

        Reputation is the green button in the down right corner on my post

 

do you understand            if you having fun?                  it's a rising sun                           it's a man killing                              what's that feelin'

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Check out what our members are saying

  • Our picks

×
×
  • Create New...