oss-sec mailing list archives
Re: Truly scary SSL 3.0 vuln to be revealed soon:
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 15 Oct 2014 13:55:19 +0200
Am Wed, 15 Oct 2014 11:13:37 +0200 schrieb Pierre Schweitzer <pierre () reactos org>:
It says you can recover plain text of ciphered text, using a specific method. But, in the end it means you'll have plain text + ciphered text of the same text. Does that mean you can easily bruteforce the key that was used? So that you can actually, if you logged the complete session, decipher the whole session of the user? And not only the cookie?
No. If you could brute force the key then this would indicate a completely broken ciphersuite. We're usually talking about AES or 3DES here. These are considered reasonably safe. You only get the cookie. The reason this matters is that cookies often contain a secure token that is used to indicate the session. So you can takeover a session e.g. for a mailaccount. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- Re: SSL POODLE (Truly scary SSL 3.0 vuln), (continued)
- Re: SSL POODLE (Truly scary SSL 3.0 vuln) Krassimir Tzvetanov (Oct 14)
- Re: SSL POODLE Florian Weimer (Oct 15)
- Re: SSL POODLE Hanno Böck (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Reed Loden (Oct 14)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Pierre Schweitzer (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: mancha (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Krassimir Tzvetanov (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Ben Lincoln (0E1C7DBB - OSS) (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 15)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 16)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Daniel Kahn Gillmor (Oct 17)
- neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) mancha (Oct 17)
- Re: neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) Nikos Mavrogiannopoulos (Oct 18)
- Re: Re: neuter the poodle mancha (Oct 18)
- Re: Re: neuter the poodle Nikos Mavrogiannopoulos (Oct 18)