While SSL 3.0 is obsolete, the protocol is supported by most modern browsers and can be invoked in the event of a connection failure. "[B]rowsers will retry failed connections with older protocol versions, including SSL 3.0," Google explains. "Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue."
The exploit is outlined here, and the specifics are, frankly, a little over my head. In a nutshell, though, Google says the exploit "can be exploited by a man-in-the-middle attacker to decrypt 'secure' HTTP cookies." Plugging the hole involves the following steps:
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Both Google's web servers and its Chrome web browser already support TLS_FALLBACK_SCSV (and have done so since February). On top of that, the company says Chrome will "begin testing changes today that disable the fallback to SSL 3.0." Since the blog post about this issue went up yesterday afternoon, I assume testing is already underway.
|1. BIF - $340||2. Ryu Connor - $250||3. mbutrovich - $250|
|4. YetAnotherGeek2 - $200||5. End User - $150||6. Captain Ned - $100|
|7. Anonymous Gerbil - $100||8. Bill Door - $100||9. ericfulmer - $100|
|10. dkanter - $100|
|Alphacool shows off Eisbrecher radiator and GPX waterblocks||1|
|Rumor: More GTX 1050 Ti and 1080 Ti details pop up||27|
|Cooler Master's MasterBox 5 and Zalman's Z9 Neo cases reviewed||7|
|Deals of the week: cheap mobos and a GTX 950||3|
|Thermaltake revs up Engine 27 low-profile CPU cooler||15|
|Logitech C922 Pro Stream webcam dispenses with green screens||17|
|MSI 100-series BIOS updates show Kaby Lake drops into LGA 1151||14|
|Razer revamps Kraken headsets with big drivers and metal bodies||10|
|Corsair Vengeance LED RAM family now sings the blues||6|