Common Folk Collective » POODLE http://commonfolkcollective.com/blog Common Folk Doing Uncommon Things Tue, 15 Mar 2016 17:08:24 +0000 en-US hourly 1 http://wordpress.org/?v=3.9 What You Need to Know About POODLE (includes a History) http://commonfolkcollective.com/blog/2014/10/what-you-need-to-know-about-poodle-includes-a-history/?utm_source=rss&utm_medium=rss&utm_campaign=what-you-need-to-know-about-poodle-includes-a-history http://commonfolkcollective.com/blog/2014/10/what-you-need-to-know-about-poodle-includes-a-history/#comments Fri, 17 Oct 2014 15:55:32 +0000 http://commonfolkcollective.com/blog/?p=5703 What you need to know about Poodle is that when you connect to a secure server aka https there are several protocols and versions of said protocols available to create the secure connection. Secure Socket Layer (SSL) was the first, it was created by Netscape. [Side note it’s part of why they were giving their browser away they wanted to make money selling the SSL server to businesses so that you could have secure transactions over the internet, basically before 1995 all connections to web servers were insecure.] They started with SSL v2, v1 was internal only and never released to the public. Within a year there were a lot flaws discovered and in 1996 they released SSL v3. Also to feed into your Illuminati vision of the internet SSL 3.0 draft was release by the Internet Engineering Task Force in a Request for Comments http://tools.ietf.org/html/rfc6101 The RCF are essentially the guides use by developers to implement the protocols.
In 1999 they came up with a newer protocol Transport Security Layer (TLS) So starting at this point newer browsers would first ask it the server supported TLS v1 if it didn’t then it would revert to SSL v3 (which is weaker) As TLS 1.1 and 1.2 came out this trend would continue. Where you’d start off with the best protocol and then go back and forth until you found one you both supported. This was done because a lot people don’t update their browsers or servers.

Now that you have the background. Some researchers at Google discovered a big flaw in SSL v3 which a lot of sites kept around, why you may ask? Because of motherfuckin’ Internet Explorer 6, it only supported SSL v3.

So the danger is that if the server supports SSL v3 your traffic can be sniffed. The responsibility is on server owners to stop supporting SSL v3 _but_ you can also, usually, force your browser to not accept SSL v3.

Share

]]>
http://commonfolkcollective.com/blog/2014/10/what-you-need-to-know-about-poodle-includes-a-history/feed/ 0