david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

POODLE: new attack on SSL October 2014

A new attack on SSL 3.0 has been discovered. It's relevant because most browsers (except for Opera) allow a downgrade to SSL 3.0 if it cannot seem to use newer versions. Of course an attacker could disturb the connection and force someone to use SSL 3.0 in order to use the POODLE attack.

Full and clear explanation here

You might want a reminder of what is CBC to read it:


tl;dr: attack happens because of the way padding works in CBC in SSL 3.0

Well done! You've reached the end of my post. Now you can leave me a comment :)