You are not logged in.
Oh, God, not again . . .
Looks like it's Tinfoil Hat time again.
http://poodlebleed.com/
http://web.nvd.nist.gov/view/vuln/detai … -2014-3566
https://www.us-cert.gov/ncas/alerts/TA14-290A
So, is this a major issue now? Is there anything being done about it?
OK, as far as I know, the biggest threat is through browsers, so to be specific, is #!'s default browser Iceweasel (which I currently use) vulnerable? If so, is there a patch yet? Is there anything else we can do to protect ourselves (besides just pulling out the ethernet cable) ?
Last edited by #!_828 (2014-10-29 20:42:17)
Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team
Offline
Hello,
There is a good article from Arstechnica explaining the problem and suggested solutions. http://arstechnica.com/security/2014/10 … le-attack/http://arstechnica.com/security/2014/10 … le-attack/
If you use Seamonkey it is as easy as going to Edit-Preferences-Privacy/Security-SSL, then uncheck SSL and leave all TLS versions checked. This will force the browser to use TLS and not SSL.
For Firefox/Iceweasel: you can install an addon from Mozilla to disable SSL or go to about:config and disable ssl (0) to force TLS, be careful if you use about:config as you can mess up the browser. Or wait until 11/25 for the next release of Firefox which will have SSL disabled by default. Anyway the article and and supplied links do a good job of explaining it.
Regards!
Offline
So, is this a major issue now? Is there anything being done about it?
>>>https://security-tracker.debian.org/tra … -2014-3566.
POODLE can be mitiagated most easily by changing server-side configuration to only use TLS1.2 with high-grade ciphers https://zmap.io/sslv3/servers.html.
Alternatively, clients can be configured to simply disallow SSL[23] connection requests to begin with. https://disablessl3.com.
For sysadmins, this is old news by now
Last edited by twoion (2014-10-29 21:34:07)
Offline
^^ But what about something like this? We'd (possibly) lose all SSL functionality.
Anyways, according to Debian security tracker, it appears that Iceweasel has only been patched for Sid thus far, & Chromium, along with a crapload of server software & other packages, including gnutils, conkeror, yaws, & OpenSSL itself, are still quite vulnerable
EDIT: Damn ninjas! ]:D
Last edited by #!_828 (2014-10-29 21:35:59)
Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team
Offline
^^ Just to be perfectly clear, simply disabling SSL3 (setting security.tls.version.min to 1 from about:config) is all it takes to fix it? This will still allow me to establish secure connections, right?
Last edited by #!_828 (2014-10-29 21:48:18)
Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team
Offline
^^ Just to be perfectly clear, simply disabling SSL3 (setting security.tls.version.min to 1 from about:config) is all it takes to fix it? This will still allow me to establish secure connections, right?
security.tls.version.min = 1 - just did my Online banking ... works fine.
I'm
· ↓ ↓ ↓ ↓ ↓ ↓ ·
BunsenLabs Forums now Open for Registration
· ↑ ↑ ↑ ↑ ↑ ↑ · BL ModSquad
Offline
So then, it looks like we're all good here. Well, time to put the Tinfoil Hats away . . . for now. Wait! We're still at SPAMCON 3, everybody keep your Tinfoil Hats right where they are (assuming that's in the 'on' position)!
Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team
Offline
SSL3 is ancient, it's 1990s technology, TLS is its successor. If you fail to establish a connection using TLS (hopefully using the latest version 1.2 from 2008) that mostly has two reasons: the server doesn't support TLS properly or your client/browser doesn't. This begins with the general support and ends with the problem of the server and client having no ciphers in common (server and client negotiate this). Older browsers had many issues with TLS and thus SSL has almost always been left enabled as a fall back, and for the same compatibility reasons most servers also offer older/weaker ciphers to clients. It's time for these problems to die and if your bank doesn't do proper TLS, you should consider ditching them because their tech doesn't live up to modern standards. SSL must die.
Comparison of TLS implementations.
I'm only worried about the millions of legacy SSL libraries in semi-smart and smartphones out there that will never get updated. This is just one reason why manufacturers not providing LTS for their handsets must get fined to death...
Offline
^ So, in other words . . .
Death to SSL! TLS Power! ]:D
Last edited by #!_828 (2014-10-29 23:25:38)
Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team
Offline
Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.
Server: acrobat