SSL v3.0 (not new at all)

Author: Martin Voelk
November 27, 2014

We were quite surprised to read the new media hype around SSL v3 and its vulnerabilities. This is not new at all. Pentesters and the bad guys alike know about this for years. Tools like the Intercepter on Android take over sessions in a Wifi hotspot of SSL websites with ease. Server side there are options to mitigate that behaviour though, but those are typically not invoked. Session Hijacking in a shared network are always a problem but it doesn’t just stop there. If someone goes online at an airport without a VPN and corporate tunnelling via corporate Internet gateways you are always at risk. The fact that the browser lock shows closed and green means nothing around your session ID.

A lot of the problems could be dealt with by better user awareness but unfortunately this seems to get worse every year instead of better.