On 16 October 2014 11:14, Sven Schwedas <sven.schwe...@tao.at> wrote:
> On 2014-10-15 18:20, Geoff Winkless wrote: > > Well the only thing new about POODLE versus previous known > > vulnerabilities is the way to manipulate the known vulnerability to gain > > the session cookie, which you can then re-use to log on to the site for > > yourself without needing to authenticate. > > I think the more important new concept is that arbitrary sessions can be > downgraded to use a known vulnerable cipher/protocol version, even if > more secure are available and servers/clients use cipher suite pinning > and all the other tricks we came up with to mitigate BEAST et. al. > Ahhh. Thanks, I figured I must have missed the point :) Although it isn't exactly news - referenced from the article: http://jbp.io/2013/07/07/tls-downgrade/ Geoff
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
