POODLE not fixed? Some TLS systems vulnerable

Google SSL guru Adam Langley has revealed that many TLS implementations are vulnerable to an attack similar to the POODLE attack from several weeks ago which affected only SSL version 3.

SSLv3 did not effectively specify the padding of data in CBC-mode ciphers. The lack of a hard specification made effective checking of the blocks for irregularities impossible. This opened the system to what is called an "oracle attack."

After SSL version 3 the specification was renamed TLS and reset to version 1.0. One change in TLS 1.0 was to fully specify the contents of padding bytes, preventing this attack.

But it turns out that some TLS implementations still didn't check the padding bytes, despite the ability to do so. Undoubtedly many implementers simply used their SSLv3 software, which work fine with a TLS implementation, other than their failure to check for this error.

There have been no reports of widespread (or even narrowspread) exploits of POODLE, but Google and many other companies are well on their way to stopping servers from falling back to SSLv3 connections, and eventually to removing SSLv3 support altogether. Officially, SSLv3 was deprecated some time ago, but support for it has still been the norm out of a desire not to break things.

Langley says that both F5 and A10 networking equipment are affected. F5 has released updates. A10 planned to, but I cannot confirm that they have.

Langley closes by reminding readers that "...everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken," including many implementations which conform to current specifications. Doing cryptography right is hard.