Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Encryption The Internet

POODLE Flaw Returns, This Time Hitting TLS Protocol 54

angry tapir writes: If you patched your sites against a serious SSL flaw discovered in October you will have to check them again. Researchers have discovered that the POODLE vulnerability also affects implementations of the newer TLS protocol. The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows attackers who manage to intercept traffic between a user's browser and an HTTPS website to decrypt sensitive information, like the user's authentication cookies.
This discussion has been archived. No new comments can be posted.

POODLE Flaw Returns, This Time Hitting TLS Protocol

Comments Filter:
  • by cyrus0101 ( 1750660 ) on Tuesday December 09, 2014 @03:57AM (#48553527)
    The article references the SSL Labs tool which includes the TLS POODLE test: https://www.ssllabs.com/ssltes... [ssllabs.com]
    • by Architect_sasyr ( 938685 ) on Tuesday December 09, 2014 @05:58AM (#48553897)
      The SSL Labs are a fantastic reference.

      Turns out when I was using their guides and aiming for an A+ rating in October (not long after I took over the current post) I accidentally mitigated TLS POODLE before it even became publicly known. So.. whoops? Better not follow the best practices guides next time, better just patch the vulnerabilities as they come ;)
    • If you're using IIS 7.5/8 there's this script [www.hass.de] for securing* it. Though it may lock out XP users (which probably isn't a bad thing) due to disabling RC4.

      * You there in the back, stop laughing.

    • by RyoShin ( 610051 )

      Thankfully, this looks to be an implementation issue and not a protocol issue like SSL had. From the blog of the folks who run that SSL test [qualys.com]:

      As problems go, this one should be easy to fix. [...] [E]ven though TLS is very strict about how its padding is formatted, it turns out that some TLS implementations omit to check the padding structure after decryption. Such implementations are vulnerable to the POODLE attack even with TLS. [...] According to our most recent SSL Pulse scan (which hasn’t been publ

  • If there were a just and caring God, he would never let geeks name things.

    POODLE?

    Jesus wept. Literally. He heard the name and wept tears.

    Geeks made baby Jesus cry.

    • It is an acronym. Padding Oracle On Downgraded Legacy Encryption. Convenient, annoying, but not just randomly made up like so much other tech jargon.
  • My mac mail has been messed up by this and I have had to disable ssl entirely or I can neither send nor receive mail despite having changed the port to one recommended by my web host. I have done a lot of googling on this but nothing solves the problem - otherwise I wouldn't bring it up here.

    Anyone who doesn't irrationally hate Apple have any tips, suggestions for fixing this? I'm still using OS X 10.7 so maybe my best bet is to upgrade the OS, but would like to avoid doing so to keep some older programs r

    • I'm still using OS X 10.7 so maybe my best bet is to upgrade the OS, but would like to avoid doing so to keep some older programs running.

      Out of curiosity, what programs do you use that break post-10.7?

      The only program I've run into that works on 10.7 but not anything after is QuarkXPress 8 (and earlier) using a License Server (the license server networking code uses a deprecated system library).

      Other than that, Yosemite has been grand.

  • by Anonymous Coward

    It is very important to understand that this is a flaw in some vendors' TLS implementation, NOT in the tls protocol itself.

    • It is very important to understand that this is a flaw in some vendors' TLS implementation, NOT in the tls protocol itself.

      The protocol invites this sort of implementation error. Hence proposals like this: http://clearcrypt.org/tls/ [clearcrypt.org]

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...