Overview#

The Poodle attack Exploits a flaw that is specific to SSLv3 with CBC-based Cipher Suites.

Poodle relies on an often overlooked feature of SSLv3: most padding bytes are ignored.

In TLS 1.0, the padding (bytes added in a record to make the length compatible with CBC Encryption, which only processes full blocks) is fully specified; all the bytes must have a specific value and the recipient checks that.

In SSLv3, padding byte contents are ignored, which allows an attacker to perform alterations that go mostly unnoticed. The alteration impact only non-applicative data, but can be used as a decryption oracle in a way vaguely similar to BEAST.

Resolution#

The best Resolution we can find is to configure Servers to only allow TLS 1.1 or TLS 1.2.

There are some concerns of "older" devices, typically, smaller devices being able to support only TLS 1.1 or TLS 1.2. Do your own due diligence.

More details can be read:#

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 29-Apr-2015 13:15 by jim