[openssl-users] CVE-2014- and OpenSSL?

Jeffrey Walton noloader at gmail.com
Fri Dec 12 20:31:31 UTC 2014


On Fri, Dec 12, 2014 at 5:23 AM, Jakob Bohm <jb-openssl at wisemo.com> wrote:
> On 09/12/2014 21:46, Jeffrey Walton wrote:
>
> On Tue, Dec 9, 2014 at 2:07 PM, Amarendra Godbole
> <amarendra.godbole at gmail.com> wrote:
>
> So Adam Langley writes "SSLv3 decoding function was used with TLS,
> then the POODLE attack would work, even against TLS connections." on
> his the latest POODLE affecting TLS 1.x.
> (https://www.imperialviolet.org/).
>
> I also received a notification from Symantec's DeepSight, that states:
> "OpenSSL CVE-2014-8730 Man In The Middle Information Disclosure
> Vulnerability".
>
> However, I could not find more information on OpenSSL's web-site about
> POODLE-biting-again. Did I miss any notification? Thanks.
>
> Here's some more reading:
> https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
>
> There's nothing specific to OpenSSL. Its a design defect in the
> protocols (its been well known that TLS 1.0 had the same oracle as
> SSLv3 since only the IV changed between them).
>
> Its not surprising that a PoC demonstrates it against TLS 1.0. Many
> have been been waiting for it.
>
> It looks like Ubuntu is going to have to enable TLS 1.1 and 1.2 in
> 12.04 LTS for clients.
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576
> .
> _______________________________________________
>
> Stop spreading FUD and lies.  This is NOT a protocol weakness in any TLS
> version,
> it is an implementation *bug* affecting multiple TLS implementations,
> specifically
> those that don't implement the *required* checks of the padding during
> decryption.
The cryptographers would disagree with you. The various attacks
against the design defects appear to offer proof by counter example.

Here's the analysis by Krawczyk: "The Order of Encryption and
Authentication for Protecting Communications",
http://www.iacr.org/archive/crypto2001/21390309.pdf.

Here's his recent remarks on the TLS WG mailing list where he
revisited his conclusions, and called out SSL/TLS as being
unconditionally insecure (due to a misunderstanding in the way padding
was applied). From
http://www.ietf.org/mail-archive/web/tls/current/msg13677.html:

    So the math in the paper is correct - the
    conclusion that TLS does it right is wrong.
    It doesn't.

You should probably share your insights on the TLS WG mailing list.
You can join here: https://www.ietf.org/mailman/listinfo/tls.

Jeff


More information about the openssl-users mailing list