mancha <manc...@zoho.com>: > Bodo Moeller wrote: >
> I certainly think that the claim that "new SCSV does not help with > > [the SSL 3.0 protocol issue related to CBC padding] at all" is wrong, > > and that my statement that TLS_FALLBACK_SCSV can be used to counter > > CVE-2014-3566 is right. > > The point is more nuanced and boils down to there being a difference > between CVE-2014-3566 (SSLv3's vulnerability to padding oracle attacks > on CBC-mode ciphers) and POODLE (an attack that exploits CVE-2014-3566 > by leveraging protocol fallback implementations to force peers into > SSLv3 communication). > > TLS_FALLBACK_SCSV does not fix or mitigate CVE-2014-3566. With or > without 0x5600, SSLv3 CBC-mode cipher usage is broken. > Sure, I understand that. Disabling SSL 3.0 doesn't "fix" CVE-2014-3566 either, because SSL 3.0 remains just as broken even if you don't use it. In both cases (TLS_FALLBACK_SCSV or disabling SSL 3.0), it's about avoiding unwarranted use of SSL 3.0 to avoid the vulnerability. Chrome, Firefox, etc. intentionally implement protocol fallback (which I > presume is why there are no MITRE CVE designations for the behavior per > se). However, one can make a strong case protocol fallback > implementations that are MITM-triggerable deserve CVE designations. > I agree. If there was such a CVE, that would be the main CVE to point to here. Bodo