Major flaw in outdated but widely-used SSL protocol ( POODLE )

Discussion in 'other security issues & news' started by MrBrian, Oct 14, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
    http://betanews.com/2014/10/15/mozi...ne-to-poodle-releases-fix-for-older-versions/
     
  5. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,198
    Location:
    Surrey, England.
    http://www.wired.com/2014/10/poodle-explained/

    SSL 3.0 vulnerability discovered. Find out how to protect yourself
     
    Last edited: Oct 15, 2014
  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    To disable SSL 3.0 protocol in Firefox, do either of these:
    1. Use Mozilla's extension SSL Version Control.
    2. Manual method: Set about:config setting security.tls.version.min = 1 .
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    This workaround involves Group Policy Editor. For those using versions of Windows that don't include GPE simply go to Control Panel/Internet Options/Advanced/Security and uncheck the box for SSL 3.0 (SSL 2.0 should already be unchecked).
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Definitely the easier option. I just got done making that change on about 15 machines.
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    The word is Google will be releasing an update for Chrome to disable SSL 3.0, however users can immediately disable it by adding this string to a Chrome shortcut:

    chrome.exe" -ssl-version-min=tls 1

    Note I haven't actually tested this...
     

    Attached Files:

  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Fox-IT blog:
    http://blog.fox-it.com/2014/10/15/poodle/

     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    The problem with Chrome is that those flags are not used if other application launches Chrome (let's say Outlook). I hope that they will add this option in settings in future release.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands

    Attached Files:

  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
  18. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,101
    :thumb:
     
    Last edited: Oct 16, 2014
  19. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,979
    Location:
    U.S.A.
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
    http://www.net-security.org/secworld.php?id=17503
     
  22. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
    How to secure your ISPConfig 3 server against the poodle SSL attack by Till Brehm.

    -- Tom
     
  23. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  25. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
    http://www.kb.cert.org/vuls/id/577193
     
Loading...