> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Kurt Roeckx > Sent: Wednesday, 05 November, 2014 13:05 > > On Wed, Nov 05, 2014 at 03:57:48PM +0530, Venkat V wrote: > > > > Can you please let me know if FTP service can be impacted by POODLE > > vulnerability > > The attack depends on being able to let the client connect > multiple times and have control over part of the plain text.
Well, the POODLE attack specifically depends on that; but the underlying issue is much more general. > So my understanding is that it is theoretically possible but very > unlikely. The OP is asking the wrong question. SSL 3 is broken. It's broken for any application protocol that's tunneled through it. The specific attack described in the POODLE paper is for HTTP, but SSL 3 suffers from a padding-oracle attack for block ciphers (and other vulnerabilities). Chances are, if your threat model requires SSL-style communications security, it now requires TLS. The application protocol is largely irrelevant; even if there's no published attack now, there may be one tomorrow. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
