February 8, 2019, By Kelly Jackson Higgins
Citrix issues update for encryption weakness dogging the popular security protocol.
Turns out a major design flaw discovered and patched five years ago in the old SSL 3.0 encryption protocol, which exposed secure sessions to the so-called POODLE attack
, didn't really die: A researcher has unearthed two new related vulnerabilities in the newer TLS 1.2 crypto protocol.
Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposure Research Team, found vulnerabilities in SSL 3.0's successor, TLS 1.2, that allow for attacks akin to POODLE due to TLS 1.2's continued support for a long-outdated cryptographic method: cipher block-chaining (CBC). The flaws allow man-in-the-middle (MitM) attacks on a user's encrypted Web and VPN sessions.