On 2014-10-15 18:20, Geoff Winkless wrote:
> Well the only thing new about POODLE versus previous known
> vulnerabilities is the way to manipulate the known vulnerability to gain
> the session cookie, which you can then re-use to log on to the site for
> yourself without needing to authenticate.
I think the more important new concept is that arbitrary sessions can be
downgraded to use a known vulnerable cipher/protocol version, even if
more secure are available and servers/clients use cipher suite pinning
and all the other tricks we came up with to mitigate BEAST et. al.
Ahhh. Thanks, I figured I must have missed the point :)
Although it isn't exactly news - referenced from the article:
Geoff
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
