Major flaw in outdated but widely-used SSL protocol ( POODLE )

Discussion in 'other security issues & news' started by MrBrian, Oct 14, 2014.

  1. 142395

    142395 Guest

    You can apply any flags even when Chrome is launched by other software, as long as Chrome is your default browser.

    Open regedit and search for 'chrome.exe" -- "%1"' without single quotation.
    In my Win7, those keys are found:
    HKEY_CLASSES_ROOT\ChromeHTML\shell\open\command
    HKEY_CLASSES_ROOT\ftp\shell\open\command
    HKEY_CLASSES_ROOT\http\shell\open\command
    HKEY_CLASSES_ROOT\https\shell\open\command
    HKEY_CURRENT_USER\Software\Classes\ChromeHTML\shell\open\command
    HKEY_CURRENT_USER\Software\Classes\ftp\shell\open\command
    HKEY_CURRENT_USER\Software\Classes\http\shell\open\command
    HKEY_CURRENT_USER\Software\Classes\https\shell\open\command
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open\command

    Then, insert flags btwn chrome.exe" and -- "%1" just like this (be careful for space!)
    ...\Google\Chrome\Application\chrome.exe" --enable-strict-site-isolation --ssl-version-min=tls1 -- "%1"
    Do this for every entry, push F5 and exit regedit, then see whether those flags are applied.
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Thank you for your suggestion @142395 ! It's really useful. For now I won't be changing all those registry settings. I will just wait until Google introduces this option in the browser settings.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Preventing POODLE attacks on Firefox, by opening about:config & searching for "security.enable," then setting it to "security.enable_ssl3" = false works for me, on both v3.6 & v27
     
  4. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Deprecated according to Security.tls.version.* .
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  7. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Just out of curiosity I checked my 3DS browser: https://en.wikipedia.org/wiki/Internet_Browser_(Nintendo_3DS)
    Latest (1.7567) is vulnerable to Poodle. In fact the browser ONLY uses SSL3 and no TLS.

    While that might get fixed in an update at some point, it does make me think how many browsers are going to be vulnerable for the years to come.
     
  8. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
    FYI. 2014-10-20 - FileZilla Client 3.9.0.6 released. (download available now!)
     
    Last edited: Oct 22, 2014
  9. 142395

    142395 Guest

    You're most welcome:)
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,083
    Location:
    Texas
    http://appleinsider.com/articles/14...cations-on-oct-29-due-to-poodle-vulnerability
     
  11. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,983
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,083
    Location:
    Texas
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From POODLE Strikes (Bites?) Again:
     
  14. 142395

    142395 Guest

    Maybe it's not limited to Kaspersky, but I once found their mobile product still had Heartbleed vulnerability long after its disclosure.

    Those are reason I don't like idea of SSL scanning, because I can't put much trust on their automated certificate checking.
     
    Last edited by a moderator: Dec 9, 2014
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    The POODLE bites again
    https://www.imperialviolet.org/2014/12/08/poodleagain.html

    Wilders gets the overall rating "T" from SSLLabs ("If trust issues are ignored: A") :thumb:
     
  16. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,083
    Location:
    Texas
    https://www.us-cert.gov/ncas/alerts/TA14-290A
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,083
    Location:
    Texas
    http://krebsonsecurity.com/2014/12/poodle-bug-returns-bites-big-bank-sites
     
  19. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
  20. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
  21. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
    Merged Threads to Continue Related Topic.
     
  22. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.