Relying on SSL 3.0 ? POODLE Byte Attack can rip it apart !

Two Google researchers, Juliano Rizzo and Thai Duong have uncovered a security bug in widely used web encryption technology that they say could allow hackers to steal data in what they have dubbed a “Poodle” attack.

“Poodle” stands for Padding Oracle On Downloaded Legacy Encryption.

The problem is an 18-year old encryption standard, known as SSL 3.0, which is still widely used in web browsers and websites. It was disclosed in a research paper published late on Tuesday on the website of the OpenSSL Project, a group that develops the most widely used type of SSL encryption software.

The attack, developed by Juliano Rizzo and Thai Duong, will be presented at the Ekoparty conference in Argentina on Friday, and, unlike many other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol. Instead, the researchers have developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions. The attack can even decrypt cookies that are marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it’s available. The researchers use what’s known as a block-wise chosen-plaintext attack against the AES encryption algorithm that’s used in TLS/SSL.

To do that, however, they would need to launch a “man-in-the-middle” attack, placing themselves in between the victim and the websites they were visiting. One common approach is to create a rogue WiFi “hot spot” in an Internet cafe.

References:

http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html