SSL 3.0 discovered to be insecure to a man-in-the-middle attack
SSL v3.0 has been found to be insecure to a
man-in-the-middle attack, allowing the plaintext of secure connections
to be calculated by a network attacker.
SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Innovice-IT is partner of KeyTalk (http://keytalk.com). KeyTalk prevents man in the middle attacks at a very smart way with Device DNA and short living certificates. This prevents a load of key management for your helpdesk and keeps the login’s safe. We are able to facilitate a proof of concept for your company. Please contact us for more information.