Closed mpgn closed 6 years ago
Okay, I finally found a way ! but in chrome, not firefox :laughing:
This is the capture of the wireshark traffic, the proof :
I will implement the downgrade method during the next week and push the code after ! :smile:
It will be very helpful. Please let me know when it's available.
Any updates related to pushing the code will be very helpful 👍
can't wait to test it 👍
How it works ?
during the handshake (after the hello client), the exploit send a handshake_failure 15030000020228 then the browser should resend a hello client with SSLv3.0 as default protocol. Tested on chrome version 15 but it's not working on Firefox (I think he doesn't support protocol renegotiation)
For now and after many attempt, I didn't find a proper way to downgrade the protocol to SSLv3 if TLS was negotiate first. (with old version of openssl/browser) that didn't support TLS Fallback SCSV.
Sending a Handshake failure during the handshake was not working for example with firefox. I also didn't find a real example internet.