PDA

View Full Version : Poodle



ironmonger
10-23-2014, 09:05 PM
Not your dog, it's a security breech... again

http://windowssecrets.com/top-story/protecting-yourself-from-poodle-attacks/

paul

TGTool
10-23-2014, 11:14 PM
Hmm. I can read the first paragraph of the article but the site then wants some information from me to read further. I don't think that's en exploit but the process sounds altogether too much like some real scams.

Can you give us a synopsis Paul?

RichR
10-24-2014, 12:00 AM
The questions are pretty benign. It ask me what temperature I keep my thermostat at and another question that I don't remember. Then the rest of the
text became visible. It's harmless.

ironmonger
10-24-2014, 06:55 AM
Or you can click on the last option, which is "no answer" I believe. I have been a paid subscriber at this site for years.

Here is a snippet which describes the problem:

"Perhaps most problematic, there’s no quick patch or easy fix; the flaw is hard-coded within SSL 3.0. As Scott Helme explains on his blog (https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/), the “attack, specifically against the SSLv3 protocol, allows an attacker to obtain the plaintext of certain parts of an SSL connection, such as the cookie.”

A note on terminology here: SSL and TLS (Transport Layer Security) are often referred to simply as SSL. However, TLS officially replaced the SSL 3.0 protocol over a decade ago. But like most things on the Web, the SSL 3.0 protocol lives on and is still in widespread use. (See the Wikipedia “Transport Layer Security” page (http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS) for more details.)

In short, the SSL protocols are all vulnerable; the TLS protocols, as far as we know, aren’t.
The POODLE exploit compromises the SSL protocol by forcing the server/browser connection to downgrade its TLS connection to SSL 3.0. That change allows leaks of cookie information, which could then lead to the disclosure of sensitive, personal information."

This is not OS dependant. I would suspect that there is a similar setting in Safari for Apple but I have no idea where it may be.

paul