Researchers from Google have a vulnerability in ssl 3.0 and found that an attacker who packages know to intercept under more cookies to steal. Although ssl 3.0 is already years out of date, this version is often still supported.
An attacker would need person’s traffic can intercept for abuse, for example, by a rogue network. Then can javascript be used for cookies to be intercepted. That method is similar to the Beast-vulnerability in tls 1.0, which in 2011 came to light.
There is no workaround available, stress the researchers: ssl 3.0 should be completely avoided. The problem is that many browsers and servers still the eighteen-year-old ssl 3.0 support. An attacker can use the browser of a user also tempted to switch over to ssl 3.0, by handshakes with newer ssl/tls versions to make it fail.
Google’s self ssl 3.0 support from Google Chrome remove. Despite the fact that ssl 3.0 according to Mozilla still for millions of transactions is used, the support in Firefox 34 also phased out. As well as server support for ssl 3.0 uitfaseert, that produces a problem, particularly for users of older software, such as users of Internet Explorer 6. Users can test whether their browsers have been affected by Poodletest.com.
Comments
(75)