[CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#!_828 · 2014-10-29 20:26:28

Oh, God, not again . . .

Looks like it's Tinfoil Hat time again.
http://poodlebleed.com/
http://web.nvd.nist.gov/view/vuln/detai … -2014-3566
https://www.us-cert.gov/ncas/alerts/TA14-290A

So, is this a major issue now? Is there anything being done about it?

OK, as far as I know, the biggest threat is through browsers, so to be specific, is #!'s default browser Iceweasel (which I currently use) vulnerable? If so, is there a patch yet? Is there anything else we can do to protect ourselves (besides just pulling out the ethernet cable) ?

Last edited by #!_828 (2014-10-29 20:42:17)

ChuangTzu · 2014-10-29 20:59:32

Hello,

There is a good article from Arstechnica explaining the problem and suggested solutions. http://arstechnica.com/security/2014/10 … le-attack/http://arstechnica.com/security/2014/10 … le-attack/

If you use Seamonkey it is as easy as going to Edit-Preferences-Privacy/Security-SSL, then uncheck SSL and leave all TLS versions checked. This will force the browser to use TLS and not SSL.

For Firefox/Iceweasel: you can install an addon from Mozilla to disable SSL or go to about:config and disable ssl (0) to force TLS, be careful if you use about:config as you can mess up the browser. Or wait until 11/25 for the next release of Firefox which will have SSL disabled by default. Anyway the article and and supplied links do a good job of explaining it.

Regards!

twoion · 2014-10-29 21:30:30

#!_828 wrote:

So, is this a major issue now? Is there anything being done about it?

>>>https://security-tracker.debian.org/tra … -2014-3566.

POODLE can be mitiagated most easily by changing server-side configuration to only use TLS1.2 with high-grade ciphers https://zmap.io/sslv3/servers.html.

Alternatively, clients can be configured to simply disallow SSL[23] connection requests to begin with. https://disablessl3.com.

For sysadmins, this is old news by now

Last edited by twoion (2014-10-29 21:34:07)

#!_828 · 2014-10-29 21:34:56

^^ But what about something like this? We'd (possibly) lose all SSL functionality.

Anyways, according to Debian security tracker, it appears that Iceweasel has only been patched for Sid thus far, & Chromium, along with a crapload of server software & other packages, including gnutils, conkeror, yaws, & OpenSSL itself, are still quite vulnerable

EDIT: Damn ninjas! ]:D

Last edited by #!_828 (2014-10-29 21:35:59)

#!_828 · 2014-10-29 21:47:54

^^ Just to be perfectly clear, simply disabling SSL3 (setting security.tls.version.min to 1 from about:config) is all it takes to fix it? This will still allow me to establish secure connections, right?

Last edited by #!_828 (2014-10-29 21:48:18)

Sector11 · 2014-10-29 22:41:21

#!_828 wrote:

^^ Just to be perfectly clear, simply disabling SSL3 (setting security.tls.version.min to 1 from about:config) is all it takes to fix it? This will still allow me to establish secure connections, right?

security.tls.version.min = 1 - just did my Online banking ... works fine.

I'm

#!_828 · 2014-10-29 22:54:03

So then, it looks like we're all good here. Well, time to put the Tinfoil Hats away . . . for now. Wait! We're still at SPAMCON 3, everybody keep your Tinfoil Hats right where they are (assuming that's in the 'on' position)!

twoion · 2014-10-29 23:12:42

SSL3 is ancient, it's 1990s technology, TLS is its successor. If you fail to establish a connection using TLS (hopefully using the latest version 1.2 from 2008) that mostly has two reasons: the server doesn't support TLS properly or your client/browser doesn't. This begins with the general support and ends with the problem of the server and client having no ciphers in common (server and client negotiate this). Older browsers had many issues with TLS and thus SSL has almost always been left enabled as a fall back, and for the same compatibility reasons most servers also offer older/weaker ciphers to clients. It's time for these problems to die and if your bank doesn't do proper TLS, you should consider ditching them because their tech doesn't live up to modern standards. SSL must die.

Comparison of TLS implementations.

I'm only worried about the millions of legacy SSL libraries in semi-smart and smartphones out there that will never get updated. This is just one reason why manufacturers not providing LTS for their handsets must get fined to death...

#!_828 · 2014-10-29 23:23:23

^ So, in other words . . .

Death to SSL! TLS Power!
]:D

Last edited by #!_828 (2014-10-29 23:25:38)

CrunchBang Linux

SEARCH

#1 2014-10-29 20:26:28

[CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#2 2014-10-29 20:59:32

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#3 2014-10-29 21:30:30

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#4 2014-10-29 21:34:56

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#5 2014-10-29 21:47:54

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#6 2014-10-29 22:41:21

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#7 2014-10-29 22:54:03

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#8 2014-10-29 23:12:42

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#9 2014-10-29 23:23:23

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

Board footer