POODLE Flaw Returns, This Time Hitting TLS Protocol

← Back to Stories (view on slashdot.org)

POODLE Flaw Returns, This Time Hitting TLS Protocol

Posted by Soulskill on Monday December 8, 2014 @08:30PM from the its-bite-is-worse-than-its-bark dept.

angry tapir writes: If you patched your sites against a serious SSL flaw discovered in October you will have to check them again. Researchers have discovered that the POODLE vulnerability also affects implementations of the newer TLS protocol. The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows attackers who manage to intercept traffic between a user's browser and an HTTPS website to decrypt sensitive information, like the user's authentication cookies.

8 of 54 comments (clear)

Min score:

Reason:

Sort:

Test your site with this by cyrus0101 · 2014-12-08 20:57 · Score: 5, Informative

The article references the SSL Labs tool which includes the TLS POODLE test: https://www.ssllabs.com/ssltes...
1. Re:Test your site with this by Architect_sasyr · 2014-12-08 22:58 · Score: 3, Insightful
  
  The SSL Labs are a fantastic reference.
  
  Turns out when I was using their guides and aiming for an A+ rating in October (not long after I took over the current post) I accidentally mitigated TLS POODLE before it even became publicly known. So.. whoops? Better not follow the best practices guides next time, better just patch the vulnerabilities as they come ;)
  
  --
  Me failed English...
  FreeBSD over Linux. If my comments seem odd, this may explain...
2. Re:Test your site with this by RyoShin · 2014-12-09 10:18 · Score: 2
  
  Thankfully, this looks to be an implementation issue and not a protocol issue like SSL had. From the blog of the folks who run that SSL test:
  
  As problems go, this one should be easy to fix. [...] [E]ven though TLS is very strict about how its padding is formatted, it turns out that some TLS implementations omit to check the padding structure after decryption. Such implementations are vulnerable to the POODLE attack even with TLS. [...] According to our most recent SSL Pulse scan (which hasn’t been published yet), about 10% of the servers are vulnerable to the POODLE attack against TLS.
Re:After the jump BULLSHIT by Nyder · 2014-12-08 21:01 · Score: 3, Funny

Don't you mean Dog shit instead of bullshit? After all, this is a POODLE vulnerability.

--
Be seeing you...
Re: A question I hope someone can answer by Anonymous Coward · 2014-12-08 22:13 · Score: 5, Insightful

Have you considered upgrading your browser!
Re:A question I hope someone can answer by lgw · 2014-12-09 01:52 · Score: 2

don't know his exact situation, but it's possible that the company he works at has an app that only works with IE6. There used to be many apps like this.
That's no excuse! IE6 belongs in a VM used only for internal sites and strictly firewalled off from the outside world. But even if you're stuck with IE6, at least run the latest FF or something beside it.

--
Socialism: a lie told by totalitarians and believed by fools.
Re:After the jump BULLSHIT by Anonymous Coward · 2014-12-09 02:12 · Score: 2, Interesting

Not to feed the trolls more but... did you know that if you are logged in you can click the comment score and SEE all the moderation on the comment?
At the current time, the post in question started at 2 and has +1 Funny for a total of 3.

If you are logged in, you can also change the weight of users to remove the karma bonus.
implementation flaw not protocol flaw by Anonymous Coward · 2014-12-09 05:11 · Score: 2, Informative

It is very important to understand that this is a flaw in some vendors' TLS implementation, NOT in the tls protocol itself.