On Thu, Oct 16, 2014 at 02:50:58PM +0200, Bodo Moeller wrote: > This is not quite the same discussion as in the TLS Working Group, but > I certainly think that the claim that "new SCSV does not help with > [the SSL 3.0 protocol issue related to CBC padding] at all" is wrong, > and that my statement that TLS_FALLBACK_SCSV can be used to counter > CVE-2014-3566 is right.
The point is more nuanced and boils down to there being a difference between CVE-2014-3566 (SSLv3's vulnerability to padding oracle attacks on CBC-mode ciphers) and POODLE (an attack that exploits CVE-2014-3566 by leveraging protocol fallback implementations to force peers into SSLv3 communication). TLS_FALLBACK_SCSV does not fix or mitigate CVE-2014-3566. With or without 0x5600, SSLv3 CBC-mode cipher usage is broken. Chrome, Firefox, etc. intentionally implement protocol fallback (which I presume is why there are no MITRE CVE designations for the behavior per se). However, one can make a strong case protocol fallback implementations that are MITM-triggerable deserve CVE designations. TLS_FALLBACK_SCSV could then be accurately described as partially mitigating those CVEs. --mancha
pgpLCPRz8jV7G.pgp
Description: PGP signature
