|
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" 〔).〔(【引用サイトリンク】title=Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback )〕 Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced. The CVE-ID associated with the original POODLE attack is (CVE-2014-3566 ). F5 Networks filed for (CVE-2014-8730 ) as well, see POODLE attack against TLS section below. == Exploitation of graceful degradation == POODLE exemplifies a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability. When designing systems in domains with high levels of fragmentation, then, extra care is appropriate. In such domains graceful security degradation may become common.〔 (【引用サイトリンク】 title=Poodle flaw and IoT ) 〕 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「POODLE」の詳細全文を読む スポンサード リンク
|