The Register has an article about an SSL 3.0 vulnerability which is set to be released shortly. It appears that the vulnerability is currently embargoed to allow vendors to coordinate patches. El Reg is inferring from this embargo that the vulnerability will be one of some significance, à la Heartbleed.
The article is exceptionally light on details or substance, and it's not even entirely clear as to when this vulnerability will be announced: The URL says "nasty_ssl_30_vulnerability_to_drop_tomorrow", but the article is dated today (October 14) and the wording seems to imply the details will be released at around noon PDT (19:00 UTC) today.
Perhaps if and when this submission finds its way to the front page, there will be more details available and an update will be warranted.
Related Stories
I received an e-mail from THAWTE tonight about the new "nasty" SSL vulnerability we learned about. From the e-mail:
Thawte is aware of and currently investigating CVE 2014-3566 SSL v3.0 POODLE vulnerability. This vulnerability affects servers still running SSL 3.0. It centers on cipher block chaining (CBC) encryption implementation and allow attackers with a Man-in-the-Middle (MITM) position to derive the contents of a secure payload based on responses received from requests sent from a compromised browser to a legitimate server.
(Score: 0) by Anonymous Coward on Tuesday October 14 2014, @11:02PM
Not much to talk about though is there?
(Score: 2) by skullz on Tuesday October 14 2014, @11:05PM
Well, it *is* The Reg clickbait.
I did a few searches but only found similar "doom, DOOOOM!!!1one" articles.
(Score: 2) by Leebert on Tuesday October 14 2014, @11:13PM
I've heard some more reliable rumblings beyond the The Register article. Alas I cannot go into particulars aside from the fact that I understand it might be related to MITM attacks. Which kinda sucks since that's what SSL exists to avoid.
Then again, I've also heard some other rumblings that downplay it. So... *shrug*. :)
I do wonder if it's somehow related to the Dropbox password compromise...
Either way, seems like a good idea to avoid making dinner plans for Wednesday.
(Score: 0) by Anonymous Coward on Wednesday October 15 2014, @12:38AM
As predicted by The Register, security researchers have disclosed a vulnerability in SSL 3.0 that allows attackers to determine the plaintext of secure connections. [theregister.co.uk]
(Score: 5, Informative) by frojack on Wednesday October 15 2014, @01:22AM
Not Click-bait. Once again the Register scoops:
Google discovered this and covered it briefly here
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html [blogspot.com.au]
And in detail here:
https://www.openssl.org/~bodo/ssl-poodle.pdf [openssl.org]
No, you are mistaken. I've always had this sig.
(Score: 2) by mcgrew on Wednesday October 15 2014, @08:40PM
Well, it *is* The Reg clickbait.
I would have thought s/n would have learned its lesson about that awful source of misinformation earlier this year when a doom-and-gloom story turned out to be not the least gloomy because El Reg left out the most important parts, the parts that say "oh, this isn't a story at all".
From what I read yesterday at several sites, POODLE is indeed worrying but the sky isn't falling. If you're on a network with a firewall you're safe and defending against it is easy unless you're running IE 6 in XP. And even then, you have to be on a site that uses very old code.
One worrying story said that Apple's app store got bit by it.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 4, Informative) by Bill Dimm on Tuesday October 14 2014, @11:32PM
This POODLE bites: exploiting the SSL 3.0 fallback [blogspot.com]
(Score: 0) by Anonymous Coward on Tuesday October 14 2014, @11:57PM
http://en.wikipedia.org/wiki/Station-to-Station_protocol [wikipedia.org]
(Score: 0) by Anonymous Coward on Wednesday October 15 2014, @12:07AM
Smells like PGP with a different name, and "protocol" added on.
(Score: 0) by Anonymous Coward on Wednesday October 15 2014, @12:12AM
Public keypairs generated on each end and verified..
If not using the CA infrastructure (private CA or self-signed certs), then SSL with client certificates is the same thing, isn't it?
(Score: 0) by Anonymous Coward on Wednesday October 15 2014, @12:29AM
Still too many moving parts with SSL. Just compare the sizes of the specification documents:
TLS 1.2 (RFC 5246)
http://www.ietf.org/rfc/rfc5246.txt [ietf.org]
http://webcache.googleusercontent.com/search?q=cache:6iBbW4XYuaMJ:www.ietf.org/rfc/rfc5246.txt&client=firefox-a&hs=59D&hl=en&gl=us&strip=1 [googleusercontent.com]
64,472 bytes [Can't access ietf.org from my ISP but Google can! :( ]
http://en.wikipedia.org/wiki/Station-to-Station_protocol [wikipedia.org]
14,721 bytes
STS is an equivalent secure, authenticated communications protocol described in about 25% of the space as the more complicated TLS 1.2
So why wasn't SSL codified like STS instead? It would be MUCH easier to code HTTPS servers from scratch to use STS rather than TLS along with a bignum library.
(Score: 2) by kaszz on Wednesday October 15 2014, @05:16AM
It has been a strategy by certain organizations to complicate protocols to deter developers from support them. Rumors says IPv6-sec got a sleeve of this.
(Score: 1, Funny) by Anonymous Coward on Wednesday October 15 2014, @05:57AM
Not only do bugs have fancy names and logos these days, they also have teaser trailers!
(Score: 2) by ticho on Wednesday October 15 2014, @08:29AM
Indeed, it is sad that this one had a "cool" name before it even had a CVE assigned. But now it has both finally: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 [nist.gov]
(Score: 2) by mcgrew on Wednesday October 15 2014, @08:26PM
The Register??? That rag is good for nothing but a good laugh and is NEVER a good source for news. I saw this on Google News yesterday, and there were lots of stories about it by far better publications.
POODLE [washingtonpost.com]
POODLE [malwaretips.com]
POODLE [winhelp.us]
POODLE [sans.edu]
POODLE [websense.com]
POODLE [trendmicro.com]
POODLE [freedomhacker.net]
POODLE [nbcnews.com]
POODLE [cisco.com]
Hell, search just for "poodle malware site:computerworld,com" gives pages and pages of POOTLE [google.com] on a single respected (unlike El Reg) web site.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by Leebert on Thursday October 16 2014, @01:55PM
Not at the time this story was submitted. I know because I looked. The story was submitted on Tuesday at around noon Eastern. Later that afternoon (Eastern), a few other sites referenced The Register.
Your first link, WaPo, was published on Wednesday.
Your second link, MalwareTips, was published in the evening on Tuesday.
Your third link, Winhelp, was published on Wednesday.
Your fourth link, SANS, was published "One Day Ago".
See a pattern?