1. 11

Daniel Fox Franke:

POODLE is a death blow to [SSL v3.0]; it can only reasonably be fixed by disabling [this version of the protocol] altogether.

This post is meant to be a “simple as possible, but no simpler” explanation of POODLE. I’ve tried to make it accessible to as many readers as possible and yet still go into full and accurate technical detail and provide complete citations. However, as the title implies, I have a second goal, which is to explain not merely how POODLE works, but the historical mistakes which allow it to work: mistakes that are still with us even though we’ve known better for over a decade.

  1.  

  2. 3

    Every time somebody tells me how excellent his code is because it has been maintained and updated for years, I always look at when it was designed, if it has been redesigned and what we gained for it. Unfortunately, you can do this only for the projects you are directly involved in as a developer and using them in your code. It is scary that we have no knowledge over how much design and implementation errors of decades ago are still around the corner, waiting for us to stumble as end users. It is terrifying. The transitive trust model is fundamentally broken: “well, they must know what they are doing if they are credited to be X”. Sheer terror.