The POODLE attack or “Padding Oracle On Downgraded Legacy Encryption” is a fairly recent attack that takes advantage of both the backwards compatibility integrated into SSL/TLS protocols and the means by which SSL/TLS protocols are negotiated. Its purpose is to force a downgrade from TLS 1.0/1.1/1.2 to SSL 3.0, which has an inherent flaw that allows for an actor to decrypt a client-side cookie containing authentication data.Read more
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that are designed to provide security for communications over a computer network. Theoretically, they establish a link through which to communicate securely. The protocols are only theoretically secure because the security is dependent on the following assumptions: Read more
I often get into debates on the use of encryption and it being the panacea of data protection. While encryption has proven itself a viable solution for many years, the problem is never in the algorithm, but rather in the management of the keys. In order for encryption to occur the system must have the key to encrypt and decrypt the data. This means that the key resides somewhere on a computer system accessible by the application. How well is the organization protecting the key and ensuring that the application is handling the key appropriately is the most significant question.
According to NIST, with the proliferation of VOIP, the demands for security are significantly compounded. Now, network administrators must protect two invaluable assets – our data and our conversations. Federal agencies are required by law to protect a great deal of information, even if it is unclassified. The current Internet architecture does not provide the same physical wire security as the phone lines. What’s the solution? Encryption! Encryption! Encryption!
Encrypting VOIP traffic and running it over a virtual private network provides excellent security when dealing with external communications. Architecture decision, like locating IP Telephones behind NATs and Firewalls, are also important.
We can all breathe a collectively sigh of relief – terrorists now have the ability to communicate securely[reuters.com]. I was really starting to be concerned for their privacy…