2014-10-15

POODLE Vulnerability

Update 14-Dec-14:
Poodle vulnerability is back. It has been discovered that this same vulnerability applies to a certain versions of TLS as well.


Update 15-Oct-14:
As if the system admins weren't already sick and tired of patching (Heartbleed and then Shellshock), here comes another vulnerability.

It is now a trend to give your discovered vulnerability a fancy name, and so Google (the discoverer) calls it POODLE, which stands for: Padding Oracle On Downgraded Legacy Encryption.

And no, this isn't even half as bad as Heartbleed or Shellshock:
  1. The vulnerability is present in SSL v3 and earlier.
  2. This vulnerability does not put the servers at a risk, but the clients.
  3. This vulnerability's prerequisite is for the attacker to have network level access to the victim. So, either a MITM, sniffing wifi connections, or being NSA with hooks in the data-centers
Troy Hunt explains it here. Errata explains the risk and myths. Another simple article for dummies.

No comments:

Post a Comment