«Transcript of Episode #478 Page 1 of 18 Transcript of Episode #478 Poodle Bites Description: After catching up with a few interesting events from the ...»
So the client could simply issue, essentially send out in binary, for example, binary encode the cookie in a sequence of short and long queries: short query, short query, long, long, short, long, long, short, short, short, long, short, long. Somebody monitoring just looks at the length of the outgoing query, which is the client, the malicious client they stuck in the user's browser, essentially like using Morse code to communicate the sensitive data out over the wire. And so a passive attacker can use what is essentially a side channel attack in order to obtain that information. And that works on any protocol.
It doesn't require any vulnerability. And it's vastly simpler than this ridiculous thing that's going to get closed up here in a month or two.
So anyway, when I looked closely at what it took to actually pull this off, it looks like what they did was, I mean, they truly did find a problem. And, yes, there's a problem with the protocol. That should get fixed. We always want to fix our protocols. So any weaknesses should get fixed. I'm sure this will be. It's already fixed in OpenSSL. The other server platforms I'm sure will be pushing out support for TLS Fallback shortly. So this problem will go away.
But to me it looks like they took a theoretical vulnerability and then reverse-engineered an attack which is so difficult to pull off, if you could arrange, if you could set the situation up that makes that attack possible, then you're already able to do something far more easily and far more damaging against which there's no protection whatsoever, a side channel attack using query length in order for the browser to communicate out to a passive listener. So there you go. And Leo is now smoothly shaven.
Steve: Yes. It's a theoretical attack. Nobody has ever been attacked by it. I don't think anybody ever will. I mean, I just - it's not at all clear how it could ever actually be set up.
We know some pieces, but the requirement to run malicious script in the browser, that's the deal breaker because, if you could run malicious script in the browser...
Leo: In the words of Frank Zappa, I think we have - oh, I don't have any audio.
Darn it. I was going to play a little bit of a Frank Zappa song in which he says "the poodle bites."
Leo: Steve Gibson is at GRC.com. That's where he gets his mojo and his yabbadabba-dos. So be sure you go on over there.
Steve: And thank you to our listeners, yes.
Leo: Yes, buy some SpinRite and make his day. And Fred Flintstone's day. You can also, while you're there, find so many other great things, all free. The only one he charges for is SpinRite. You've got the Perfect Paper Passwords. You've got Password Haystacks. You've got information about SQRL and test implementations and a whole forum on that. And you have a place where you can ask questions. And there's always questions for Steve. You could tweet him because he's @SGgrc on the Twitter. But you can also go to GRC.com/feedback and leave your questions there.
Do you think - I know this was scheduled to be a Q&A.
Steve: Well, let's try for one next week.
Steve: As long as the sky doesn't fall, yes, I will suck up our mailbag from this week and last week, and we'll have a great Q&A next week.
Leo: Although I'm having to think that maybe this YubiKey may end up, FIDO may end up being part of the show, as well. But, you know, we have room for that.
Steve: Yeah. And if people ask me a question, then that's a perfect segue.
Leo: Of course you can also go there to get 16Kb audio versions, the smallest version offered, as well as nicely written transcripts.
Leo: Handwritten by a human being. Steve pays Elaine to do those.
Steve: No bots over here. We do not have Siri at this end, unh-unh.
Leo: We also have full-quality audio and video at our site, TWiT.tv/sn. And wherever finer podcasts are aggregated, you're sure to find it because it is one of the oldest shows on the 'Net nowadays.
Steve: We're surviving everybody else.
Steve: We're like the cockroach of the Internet.
Leo: Steve, what fun. Thank you so much for helping us don our propeller caps.
We'll see you next week.
Steve: Thanks, Leo.