You might remember that I posted a story on an exploit called Poodle which affected the SSL protocol used by web browsers among other pieces of software. The exploit was patched and it was thought that life was good.
It turns out that life is not good.
Researchers have discovered that the P00dle vulnerability also affects implementations of the newer TLS protocol:
Initially, researchers believed it affected only SSL 3.0, an aging protocol superseded by TLS 1.0, 1.1. and 1.2. That still put users at risk, since most browsers and servers still supported SSL 3.0 for backward-compatibility reasons. Attackers were able to force a connection downgrade from TLS to SSL and then exploit the vulnerability.
Security researchers have now discovered that the issue also affects some implementations of TLS in products that don’t properly check the structure of the “padding” used in TLS packets.
Lovely. What’s worse is that if you use a load balancer from F5 Networks and A10 Networks to balance your network traffic between multiple servers, then you might have a bigger problem on your hands because they handle TLS connections. Now the former has patches that are available to fix this and the latter will have them shortly. But it does show how complex computer security is as you have look at multiple layers of your network to ensure that it is secure.
If you’re worried about this, and you should be worried if you are responsible for the security of your network, you can use the Qualys SSL Labs server test to see if you’re exposed. I’d strongly suggest doing that ASAP. Then I would watch for any updates that address this issue and install them ASAP as well.
Like this:
Like Loading...
Related
This entry was posted on December 9, 2014 at 8:28 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The Poodle Flaw Is Back
You might remember that I posted a story on an exploit called Poodle which affected the SSL protocol used by web browsers among other pieces of software. The exploit was patched and it was thought that life was good.
It turns out that life is not good.
Researchers have discovered that the P00dle vulnerability also affects implementations of the newer TLS protocol:
Initially, researchers believed it affected only SSL 3.0, an aging protocol superseded by TLS 1.0, 1.1. and 1.2. That still put users at risk, since most browsers and servers still supported SSL 3.0 for backward-compatibility reasons. Attackers were able to force a connection downgrade from TLS to SSL and then exploit the vulnerability.
Security researchers have now discovered that the issue also affects some implementations of TLS in products that don’t properly check the structure of the “padding” used in TLS packets.
Lovely. What’s worse is that if you use a load balancer from F5 Networks and A10 Networks to balance your network traffic between multiple servers, then you might have a bigger problem on your hands because they handle TLS connections. Now the former has patches that are available to fix this and the latter will have them shortly. But it does show how complex computer security is as you have look at multiple layers of your network to ensure that it is secure.
If you’re worried about this, and you should be worried if you are responsible for the security of your network, you can use the Qualys SSL Labs server test to see if you’re exposed. I’d strongly suggest doing that ASAP. Then I would watch for any updates that address this issue and install them ASAP as well.
Share this:
Like this:
Related
This entry was posted on December 9, 2014 at 8:28 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.