Re: [SR-Users] Susceptibility to POODLE Vulnerability?

Am 21.10.2014 um 08:01 schrieb Rainer Piper: more informations about SSLv3 POODLE attack SSL 3 is dead, killed by the POODLE attack <https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack> Gepostet von Ivan Ristic <https://community.qualys.com/people/ivanr> in Security Labs <https://community.qualys.com/blogs/securitylabs> am 15.10.2014 12:06:32 The POODLE Attack (CVE-2014-3566) After more than a week of persistent rumours, yesterday (Oct 14) we finally learned about the new SSL 3 vulnerability everyone was afraid of. The so-called POODLE attack <http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html> is a problem in the CBC encryption scheme as implemented in the SSL 3 protocol. (Other protocols are not vulnerable because this area had been strengthened in TLS 1.0.) Conceptually, the vulnerability is very similar to the 2011 BEAST exploit. In order to successfully exploit POODLE the attacker must be able to inject malicious JavaScript into the victim's browser and also be able to observe and manipulate encrypted network traffic on the wire. As far as MITM attacks go, this one is complicated, but easier to execute than BEAST because it doesn't require any special browser plugins. If you care to learn the details, you can find them in the short paper <https://www.openssl.org/%7Ebodo/ssl-poodle.pdf> or in Adam Langley's blog post <https://www.imperialviolet.org/2014/10/14/poodle.html>. read more at source -> https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-ki… -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rainer@sip.soho-piper.de:5072 (pjsip-test) XMPP: rainer(a)xmpp.soho-piper.de