http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-crypto-bites-10-percent-of-websites/
By Dan Goodin
Ars Technica
Dec 8 2014
Some of the world's leading websites—including those owned or operated by
Bank of America, VMware, the US Department of Veteran's Affairs, and
business consultancy Accenture—are vulnerable to simple attacks that
bypass the transport layer security encryption designed to thwart
eavesdroppers and spoofers.
The attacks are a variation on the so-called POODLE exploits disclosed two
months ago against secure sockets layer (SSL), an encryption protocol
similar to transport layer security (TLS). Short for "Padding Oracle On
Downgraded Legacy Encryption," POODLE allowed attackers monitoring Wi-Fi
hotspots and other unsecured Internet connections to decrypt HTTPS traffic
encrypted by the ancient SSL version 3. Browser makers quickly responded
by limiting or eliminating use of SSLv3, a move that appears to have
averted widespread exploitation of the bug.
On Monday, word emerged that there's a variation on the POODLE attack that
works against widely used implementations of TLS. At the time this post
was being prepared, SSL Server Test, a free service provided by security
firm Qualys, showed that some of the Internet's top websites—again, a list
including Bank of America, VMware, the US Department of Veteran's Affairs,
and Accenture—are susceptible. The vulnerability was serious enough to
earn all sites found to be affected a failing grade by the Qualys service.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
