SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#1 2014-10-29 20:26:28

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

[CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

Oh, God, not again . . . yikes

Looks like it's Tinfoil Hat time again.
http://poodlebleed.com/
http://web.nvd.nist.gov/view/vuln/detai … -2014-3566
https://www.us-cert.gov/ncas/alerts/TA14-290A

So, is this a major issue now? Is there anything being done about it? hmm

OK, as far as I know, the biggest threat is through browsers, so to be specific, is #!'s default browser Iceweasel (which I currently use) vulnerable? If so, is there a patch yet? Is there anything else we can do to protect ourselves (besides just pulling out the ethernet cable) ?

Last edited by #!_828 (2014-10-29 20:42:17)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

Help fund CrunchBang, donate to the project!

#2 2014-10-29 20:59:32

ChuangTzu
New Member
Registered: 2014-10-29
Posts: 1

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

Hello,
 
  There is a good article from Arstechnica explaining the problem and suggested solutions.  http://arstechnica.com/security/2014/10 … le-attack/http://arstechnica.com/security/2014/10 … le-attack/

  If you use Seamonkey it is as easy as going to Edit-Preferences-Privacy/Security-SSL, then uncheck SSL and leave all TLS versions checked.  This will force the browser to use TLS and not SSL.

   For Firefox/Iceweasel: you can install an addon from Mozilla to disable SSL or go to about:config and disable ssl (0) to force TLS, be careful if you use about:config as you can mess up the browser.  Or wait until 11/25 for the next release of Firefox which will have SSL disabled by default.  Anyway the article and and supplied links do a good job of explaining it.

  Regards!

Offline

#3 2014-10-29 21:30:30

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#!_828 wrote:

So, is this a major issue now? Is there anything being done about it? hmm

>>>https://security-tracker.debian.org/tra … -2014-3566.

POODLE can be mitiagated most easily by changing server-side configuration to only use TLS1.2 with high-grade ciphers https://zmap.io/sslv3/servers.html.

Alternatively, clients can be configured to simply disallow SSL[23] connection requests to begin with. https://disablessl3.com.

For sysadmins, this is old news by now smile

Last edited by twoion (2014-10-29 21:34:07)


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#4 2014-10-29 21:34:56

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

^^ But what about something like this? We'd (possibly) lose all SSL functionality.

Anyways, according to Debian security tracker, it appears that Iceweasel has only been patched for Sid thus far, & Chromium, along with a crapload of server software & other packages, including gnutils, conkeror, yaws, & OpenSSL itself, are still quite vulnerable  neutral

EDIT: Damn ninjas! ]:D

Last edited by #!_828 (2014-10-29 21:35:59)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#5 2014-10-29 21:47:54

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

^^ Just to be perfectly clear, simply disabling SSL3 (setting security.tls.version.min to 1 from about:config) is all it takes to fix it? This will still allow me to establish secure connections, right?

Last edited by #!_828 (2014-10-29 21:48:18)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#6 2014-10-29 22:41:21

Sector11
#!'er to BL'er
From: SR11 Cockpit
Registered: 2010-05-05
Posts: 15,667
Website

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

#!_828 wrote:

^^ Just to be perfectly clear, simply disabling SSL3 (setting security.tls.version.min to 1 from about:config) is all it takes to fix it? This will still allow me to establish secure connections, right?

security.tls.version.min = 1 - just did my Online banking ... works fine.

I'm cool


·  ↓   ↓   ↓   ↓   ↓   ↓  ·
BunsenLabs Forums now Open for Registration
·  ↑   ↑   ↑   ↑   ↑   ↑  · BL ModSquad

Offline

#7 2014-10-29 22:54:03

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

So then, it looks like we're all good here. Well, time to put the Tinfoil Hats away . . . for now. Wait! We're still at SPAMCON 3, everybody keep your Tinfoil Hats right where they are (assuming that's in the 'on' position)!  cool


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

#8 2014-10-29 23:12:42

twoion
Moderator
Registered: 2012-05-11
Posts: 1,648

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

SSL3 is ancient, it's 1990s technology, TLS is its successor. If you fail to establish a connection using TLS (hopefully using the latest version 1.2 from 2008) that mostly has two reasons: the server doesn't support TLS properly or your client/browser doesn't. This begins with the general support and ends with the problem of the server and client having no ciphers in common (server and client negotiate this). Older browsers had many issues with TLS and thus SSL has almost always been left enabled as a fall back, and for the same compatibility reasons most servers also offer older/weaker ciphers to clients. It's time for these problems to die and if your bank doesn't do proper TLS, you should consider ditching them because their tech doesn't live up to modern standards. SSL must die.

Comparison of TLS implementations.

I'm only worried about the millions of legacy SSL libraries in semi-smart and smartphones out there that will never get updated. This is just one reason why manufacturers not providing LTS for their handsets must get fined to death...


Tannhäuser ~ {www,pkg,ddl}.bunsenlabs.org/{gitlog,repoidx}

Offline

#9 2014-10-29 23:23:23

#!_828
#! Tinfoil Hat
From: Ohio, U. S. of A.
Registered: 2013-09-19
Posts: 1,244

Re: [CVE-2014-3566] OpenSSL 'POODLE' - Is #! Vulnerable?

^ So, in other words . . .

Death to SSL! TLS Power!
Al-Shabaab-Militia.jpg  ]:D

Last edited by #!_828 (2014-10-29 23:25:38)


Those who would trade essential liberty for temporary security deserve neither
Member of the (Un)Official #! Emergency Tinfoil Hat Distribution Center
Emergency Tinfoil Hat Conky Alert System development team

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.
Server: acrobat

Debian Logo