POODLE (An SSL 3.0 Vulnerability)

SSL, the predecessor to TLS, reached version 3.0 before changing names to TLS. TLS versions currently defined include TLS 1.0, 1.1, and 1.2, with the 1.3 specification still being worked out.

“Padding Oracle On Downgraded Legacy Encryption” Bug (POODLE) was disclosed on October 14th, 2014 and allows an attacker to read information encrypted with SSL 3.0 in plain text using a man-in-the-middle attack. Here at wolfSSL we highly encourage our users to avoid using SSL 3.0 as an attacker can force a connection to use SSL 3.0 if it is available to both participants in the connection, thus allowing the attacker to exploit this bug.

POODLE effects any clients communicating with SSL 3.0. This is a flaw with the protocol design and not an implementation error. Therefore EVERY software application that uses SSL 3.0 is susceptible.

CyaSSL supports industry standards up to the current TLS 1.2 and as such is not vulnerable to the POODLE bug as long as our clients are using a version of TLS higher than SSL 3.0. It is highly recommended that TLS1.2 is used whenever possible.

References
http://www.entrust.com/poodle-kill-ssl-3-0/

wolfSSL Info Session: MSU Bozeman

wolfSSL will be holding an info session this upcoming Monday at Montana State University in Bozeman, MT for students interested in learning more about wolfSSL. The session will introduce wolfSSL as a company including background information, product lineup, work environment, and more.

We encourage any students who will be in the area and are interested in Internet security, SSL/TLS, cryptography, embedded security, or software development to attend! Pizza will be served.

wolfSSL Info Session
Monday, October 13, 2014
Montana State University, Bozeman
5-6pm, SUB 223

We look forward to seeing you there!