On Fri, Dec 12, 2014 at 5:23 AM, Jakob Bohm <jb-openssl at wisemo.com> wrote: > On 09/12/2014 21:46, Jeffrey Walton wrote: > > On Tue, Dec 9, 2014 at 2:07 PM, Amarendra Godbole > <amarendra.godbole at gmail.com> wrote: > > So Adam Langley writes "SSLv3 decoding function was used with TLS, > then the POODLE attack would work, even against TLS connections." on > his the latest POODLE affecting TLS 1.x. > (https://www.imperialviolet.org/). > > I also received a notification from Symantec's DeepSight, that states: > "OpenSSL CVE-2014-8730 Man In The Middle Information Disclosure > Vulnerability". > > However, I could not find more information on OpenSSL's web-site about > POODLE-biting-again. Did I miss any notification? Thanks. > > Here's some more reading: > https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls > > There's nothing specific to OpenSSL. Its a design defect in the > protocols (its been well known that TLS 1.0 had the same oracle as > SSLv3 since only the IV changed between them). > > Its not surprising that a PoC demonstrates it against TLS 1.0. Many > have been been waiting for it. > > It looks like Ubuntu is going to have to enable TLS 1.1 and 1.2 in > 12.04 LTS for clients. > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576 > . > _______________________________________________ > > Stop spreading FUD and lies. This is NOT a protocol weakness in any TLS > version, > it is an implementation *bug* affecting multiple TLS implementations, > specifically > those that don't implement the *required* checks of the padding during > decryption. The cryptographers would disagree with you. The various attacks against the design defects appear to offer proof by counter example. Here's the analysis by Krawczyk: "The Order of Encryption and Authentication for Protecting Communications", http://www.iacr.org/archive/crypto2001/21390309.pdf. Here's his recent remarks on the TLS WG mailing list where he revisited his conclusions, and called out SSL/TLS as being unconditionally insecure (due to a misunderstanding in the way padding was applied). From http://www.ietf.org/mail-archive/web/tls/current/msg13677.html: So the math in the paper is correct - the conclusion that TLS does it right is wrong. It doesn't. You should probably share your insights on the TLS WG mailing list. You can join here: https://www.ietf.org/mailman/listinfo/tls. Jeff