oss-sec mailing list archives
Re: Truly scary SSL 3.0 vuln to be revealed soon:
From: Pierre Schweitzer <pierre () reactos org>
Date: Wed, 15 Oct 2014 11:13:37 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've a naive question regarding the vulnerability, actually. It says you can recover plain text of ciphered text, using a specific method. But, in the end it means you'll have plain text + ciphered text of the same text. Does that mean you can easily bruteforce the key that was used? So that you can actually, if you logged the complete session, decipher the whole session of the user? And not only the cookie? Or breaking the key would be too complex yet? Cheers, On 10/15/2014 12:41 AM, Hanno Böck wrote:
It's out: https://www.openssl.org/~bodo/ssl-poodle.pdf http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html My conclusion stays the same: Disable SSLv3.
- -- Pierre Schweitzer <pierre () reactos org> System & Network Administrator Senior Kernel Developer ReactOS Deutschland e.V. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUPjrBAAoJEHVFVWw9WFsL1lsP/jp1l1qTBChu7rC4Z/JJovdb RTER+6C7RpwYB9krldhBtlqvcQoyDTr/XPaOaBgBaG311Ue3NnRjaG5iuskn5sSx Ej+uZj5Eet269AlW9MzldXCFMkI5C0cnhtBypd8QGXC1h79GZlnvp4aa22kVzovd hmzv9IgU+GYpdgFMFNsBCOAUPpBTTEbGCjXD3/T9h0nmKfJq1CFY4ztbN9s2q54z CJh6m3zKKqQHAOtxKCbHuxO70D+A7N/BHh8NmkiKvAdqn+9ohscf06oGnm8Zo1PS uOAP+R1IFbpJa5oPjKN3pKTrfR3Yj0hoImaYyXXyyuhH1LvAZmDqHjTh24hfoLIa PIE/eAckNx4YuxuYiO8n58b2sIdwPQgh9P8JKTwbE+H6wApF8O+5PYtSc8wWeOhn kM3wcefkQ/TZzGC8kcc34knbOhQmWUHQ2kXb0g8QMKPJl+DhOeDYkM/QLeYiXVey AFwnPcywC9QBY+uF3hlTFEjZ+j+u9IvpbWIb9g7fs7Q96l1hp2p998nuVmwfTvxZ yYIBbCrC0XNKN5GQtYhSjtXQZ2ynNw6Etgiysmty4mYfuIZDLIspw9e2oCErfle+ MxmLpjbR+UhA/oaagD8hqs720Er0SMVa1RbJwZeu+JjPm1JOetToFszaNrmXuR4Y xqAJzpkSdPNx0ehpr8rw =+gFQ -----END PGP SIGNATURE-----
Current thread:
- Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:), (continued)
- Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Solar Designer (Nov 03)
- Re: SSL POODLE (Truly scary SSL 3.0 vuln) gremlin (Oct 14)
- Re: SSL POODLE (Truly scary SSL 3.0 vuln) Krassimir Tzvetanov (Oct 14)
- Re: SSL POODLE Florian Weimer (Oct 15)
- Re: SSL POODLE Hanno Böck (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Reed Loden (Oct 14)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Pierre Schweitzer (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: mancha (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Krassimir Tzvetanov (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Ben Lincoln (0E1C7DBB - OSS) (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 15)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 16)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Daniel Kahn Gillmor (Oct 17)
- neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) mancha (Oct 17)
- Re: neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) Nikos Mavrogiannopoulos (Oct 18)
- Re: Re: neuter the poodle mancha (Oct 18)
- Re: Re: neuter the poodle Nikos Mavrogiannopoulos (Oct 18)