POODLE attack through TLS

POODLE = Padding Oracle On Downgraded Legacy Encryption

Once upon a time, in October, I wrote about SSL POODLE, a flaw in how browsers handle encryption; by negotiating down to SSL 3.0, attackers can alter padding data at the end of a block cipher in a way that forces a slow leak of data. Many of the cipher suites in SSL 3.0 have already been abandoned as insecure, due to small key sizes, biases, and simply having support already removed from browsers.

Everything less than TLS 1.2 with an AEAD cipher suite is broken. Qualys SSL Labs has released a tool to check websites, which you should use before going to them.

POODLE has returned and is likely to affect some of the most popular web sites in the world — including those owned or operated by Bank of America, the US Department of Veteran’s Affairs, and Accenture.

Read more here.

This entry was posted in Security Blog and tagged , , , , , , , . Bookmark the permalink.