cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Florian Weimer <fweimer_at_redhat.com>
Date: Fri, 17 Oct 2014 06:56:48 +0200

On 10/15/2014 08:58 AM, Ray Satiro wrote:
> I read today of a new method to decrypt SSL called POODLE. If you
> haven't read of it you should. It works by using SSL fallback behavior
> to get SSLv3 which can now be decrypted [1][2].

The OpenSSL change is unnecessary because the OpenSSL code does not
actually fall back to SSL 3.0.

The only TLS backend which implements insecure fallback to SSL 3.0 is
NSS. Perhaps that fallback code can be removed completely?

-- 
Florian Weimer / Red Hat Product Security
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-10-17

This message: [ Message body ]
Next message: Kamil Dudka: "Re: SSLv3 fallback attack POODLE"
Previous message: Steve Holme: "Minor NTLM fixes"
In reply to: Ray Satiro: "SSLv3 fallback attack POODLE"
Next in thread: Kamil Dudka: "Re: SSLv3 fallback attack POODLE"
Reply: Kamil Dudka: "Re: SSLv3 fallback attack POODLE"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]