Cisco Blogs


Cisco Blog > Security > Threat Research

POODLE and The Curse of Backwards Compatibility

This post was written by Martin Lee

Old protocol versions are a fact of life. When a new improved protocol is released, products still need to support the old version for backwards compatibility. If previous versions contain weaknesses in security, yet their continued support is mandated, then security can become a major issue when a potential weakness is discovered to be a genuine vulnerability and an exploit is released.

The Transport Layer Security (TLS) protocol defines how systems can exchange data securely. The current version 1.2 dates from August 2008, however the protocol’s origins lie in the Secure Sockets Layer (SSL) standard first published in February 1995. As weaknesses in the cryptography and flaws in the protocol design were discovered, new versions of the protocol were released.

In order to maintain interoperability the most recent TLS standard requires that systems support previous versions down to SSL 3.0. The discovery of a cryptographic weakness in SSL 3.0 and the publication of an attack that can exploit this provide attackers with a means to attack TLS implementations by intercepting communications using the old SSL 3.0 protocol.

The vulnerability, assigned the Common Vulnerability and Exposure ID CVE-2014-3566, and referred to as POODLE, allows an attacker to modify the padding bytes that are inserted into SSL packets to ensure that they are of the correct length and replay modified packets to a system in order to identify the bytes within a message,  one by one. This allows an attacker to discover the values of cookies used to authenticate https secured web sessions. Nevertheless, the vulnerability potentially affects any application that secures traffic using TLS, not only https traffic. Read More »

Tags: , , , , ,

BREACH, CRIME and Black Hat

August 6, 2013 at 6:00 am PST

During the last three years, the security research community has been having a lot of fun with SSL/TLS uncovering a few nifty attacks. First, in 2011, Juliano Rizzo and Thai Duong released the details about the BEAST attack on Transport Layer Security (TLS) at the ekoparty Security Conference in Buenos Aires, Argentina. I wrote a brief overview of the attack at the following blog post:
http://blogs.cisco.com/security/beat-the-beast-with-tls

In 2012, again at the ekoparty Security Conference in Buenos Aires, Rizzo and Duong revealed a compression side-channel attack against HTTPS called CRIME. This year at Black Hat USA, Angelo Prado, Neal Harris, and Yoel Gluck uncovered a new attack and a tool they called BREACH, which is based on some of the previous research by the folks behind CRIME.

Read More »

Tags: , , ,

Top of Mind: Problems with SSL, solved with DNSSEC?

Lately we have seen various attacks against the various SSL/TLS usages that we have in the world. The attacks have not been technical per se, but instead use weaknesses in the procedures that are used to get a certificate. Lets first look at how trust is built up using SSL.

Read More »

Tags: , , ,

Which VPN Is Best for Your Small Business?

When choosing between IPSec and SSL, you might find you need both kinds of VPNs.

Mobile workers are a fact of life for most small businesses and that is often a good thingfor both the company and the employee or contractor. Users who have remote access to your small business network from their home offices or while traveling tend to be more productive and can helps save your company money. The trick, of course, is making sure that the mobile connections to your network are secure. For that, you need an encrypted virtual private network (VPN), which lets remote users safely connect to your network from any location with Internet access.

Read More »

Tags: , , , , ,

AnyConnect is Now Available on the iPad

The iPad is one of the hottest gifts for this holiday season. Kids and adults alike are hoping to receive one as a gift from others or as a gift for themselves. It will be a busy time for the App Store for sure and many of the adults will probably be trying to use their iPad to access corporate email or other information.

Cisco’s gift for those users is Cisco AnyConnect for the iPad, making that corporate user more secure. The market-leading secure mobility client, positioned as a leader by Gartner in the recent 2010 Magic Quadrant for SSL VPNs , is now available on the Apple App Store free of charge. Companies with AnyConnect Essentials or Premium VPN licenses on their Cisco ASA 55000 can now allow their employees to connect using the iPad. Companies can now realize the value of Cisco Secure Mobility and Borderless networks. They can connect anyone, anywhere—securely, reliably, and seamlessly. Read More »

Tags: , , , , , , ,