Wednesday, October 15, 2014
Two Google researchers, Juliano Rizzo and Thai Duong have uncovered a security bug in widely used web encryption technology that they say could allow hackers to steal data in what they have dubbed a “Poodle” attack.
“Poodle” stands for Padding Oracle On Downloaded Legacy Encryption.
The problem is an 18-year old encryption standard, known as SSL 3.0, which is still widely used in web browsers and websites. It was disclosed in a research paper published late on Tuesday on the website of the OpenSSL Project, a group that develops the most widely used type of SSL encryption software.
The attack, developed by Juliano Rizzo and Thai Duong, will be presented at the Ekoparty conference in Argentina on Friday, and, unlike many other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol. Instead, the researchers have developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions. The attack can even decrypt cookies that are marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it’s available. The researchers use what’s known as a block-wise chosen-plaintext attack against the AES encryption algorithm that’s used in TLS/SSL.
To do that, however, they would need to launch a “man-in-the-middle” attack, placing themselves in between the victim and the websites they were visiting. One common approach is to create a rogue WiFi “hot spot” in an Internet cafe.
"Indusface has proved to be a valuable security partner with its Total Application Security solution. Their 'detect-protect-monitor' package handles security worries so we can focus on improving services for our customers. Vulnerability detection, attack blocking and near real-time reports are some of the key differentiators that we enjoy with them. The web application scanning and web protection combination ..."
"As one of the leading banks in India, securing application infrastructure is critical for us. Indusface’s Total Application Security package allows us to scan vulnerabilities continuously and prevent attacks. Indusface also provides the unique benefits of expert handling and tuning on custom rules with round-the-clock traffic monitoring and protection through on-premise appliances ..."
"Our complete ecommerce infrastructure is hosted on the cloud and we are glad to have Indusface as partner for web security. Due to their association with cloud service providers and prompt deployment options, Indusface was the preferred security choice. The on-demand and scheduled scanning helps us keep track of vulnerabilities that may otherwise damage our website or put customers at risk ..."