While SSL 3.0 is obsolete, the protocol is supported by most modern browsers and can be invoked in the event of a connection failure. "[B]rowsers will retry failed connections with older protocol versions, including SSL 3.0," Google explains. "Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue."
The exploit is outlined here, and the specifics are, frankly, a little over my head. In a nutshell, though, Google says the exploit "can be exploited by a man-in-the-middle attacker to decrypt 'secure' HTTP cookies." Plugging the hole involves the following steps:
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Both Google's web servers and its Chrome web browser already support TLS_FALLBACK_SCSV (and have done so since February). On top of that, the company says Chrome will "begin testing changes today that disable the fallback to SSL 3.0." Since the blog post about this issue went up yesterday afternoon, I assume testing is already underway.
|Razer Kiyo and Seiren X set the stage for streaming excellence||19|
|MSI Cubi 3 Silent and Silent S can be seen but not heard||13|
|Massdrop's Vast 35" VA display lives up to its name||31|
|Spitballing the performance of Nvidia's purported GTX 1070 Ti||22|
|Friday deals: a huge monitor, racing gear, audio, and more||22|
|G.Skill 3800 MT/s SO-DIMMs put lightning in tiny bottles||9|
|Cooler Master bedazzles the MasterLiquid Lite ML120L and ML240L||4|
|Razer Electra V2 offers affordable immersion||8|
|Samsung 360 Round camera captures the world from all angles||11|
|You do realise that whether you’re looking at a flat or a curved panel, you’re invariably looking at content that uses a planar projection? There...||+12|