Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Oct 2014 11:13:37 +0200
From: Pierre Schweitzer <pierre@...ctos.org>
To: oss-security@...ts.openwall.com
Subject: Re: Truly scary SSL 3.0 vuln to be revealed soon:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've a naive question regarding the vulnerability, actually.

It says you can recover plain text of ciphered text, using a specific
method.
But, in the end it means you'll have plain text + ciphered text of the
same text. Does that mean you can easily bruteforce the key that was
used? So that you can actually, if you logged the complete session,
decipher the whole session of the user? And not only the cookie?
Or breaking the key would be too complex yet?

Cheers,

On 10/15/2014 12:41 AM, Hanno Böck wrote:
> It's out:
> 
> https://www.openssl.org/~bodo/ssl-poodle.pdf 
> http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html
>
>  My conclusion stays the same: Disable SSLv3.
> 


- -- 
Pierre Schweitzer <pierre@...ctos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUPjrBAAoJEHVFVWw9WFsL1lsP/jp1l1qTBChu7rC4Z/JJovdb
RTER+6C7RpwYB9krldhBtlqvcQoyDTr/XPaOaBgBaG311Ue3NnRjaG5iuskn5sSx
Ej+uZj5Eet269AlW9MzldXCFMkI5C0cnhtBypd8QGXC1h79GZlnvp4aa22kVzovd
hmzv9IgU+GYpdgFMFNsBCOAUPpBTTEbGCjXD3/T9h0nmKfJq1CFY4ztbN9s2q54z
CJh6m3zKKqQHAOtxKCbHuxO70D+A7N/BHh8NmkiKvAdqn+9ohscf06oGnm8Zo1PS
uOAP+R1IFbpJa5oPjKN3pKTrfR3Yj0hoImaYyXXyyuhH1LvAZmDqHjTh24hfoLIa
PIE/eAckNx4YuxuYiO8n58b2sIdwPQgh9P8JKTwbE+H6wApF8O+5PYtSc8wWeOhn
kM3wcefkQ/TZzGC8kcc34knbOhQmWUHQ2kXb0g8QMKPJl+DhOeDYkM/QLeYiXVey
AFwnPcywC9QBY+uF3hlTFEjZ+j+u9IvpbWIb9g7fs7Q96l1hp2p998nuVmwfTvxZ
yYIBbCrC0XNKN5GQtYhSjtXQZ2ynNw6Etgiysmty4mYfuIZDLIspw9e2oCErfle+
MxmLpjbR+UhA/oaagD8hqs720Er0SMVa1RbJwZeu+JjPm1JOetToFszaNrmXuR4Y
xqAJzpkSdPNx0ehpr8rw
=+gFQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.