INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: SSL Vulnerability  (Read 1440 times)

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72444
  • Where did I put my teeth?
SSL Vulnerability
« on: October 15, 2014, 03:10:24 am »

http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

As warned by The Register, security researchers have discovered a vulnerability in SSL 3.0 that allows attackers to decrypt encrypted connections to websites.

Miscreants can exploit a weakness in the protocol's design to grab victims' session cookies, which are used for logging into webmail and other online accounts over HTTPS.
 
The attack is, we're told, easy to perform, and can be done on-the-fly using JavaScript – provided you can intercept the victim's packets, perhaps by setting up a malicious Wi-Fi point in a cafe or bar.
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: SSL Vulnerability
« Reply #1 on: October 15, 2014, 06:21:47 am »

Thanks, Jim. To be clear for others: SSLv3 was already broken and largely deprecated.  Now, this attack makes it easier.  Here's another read with more details on how to disable the legacy protocol in your browser:

http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

InflatableMouse

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 3978
Re: SSL Vulnerability
« Reply #2 on: October 15, 2014, 06:37:45 am »

You can go to:

https://www.poodletest.com/

to see which of your browsers are vulnerable and/or to test after you disabled SSLv3 to see if its fixed.
Logged

AndrewFG

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 3392
Re: SSL Vulnerability
« Reply #3 on: October 15, 2014, 08:29:02 am »

As warned by The Register, security researchers have discovered a vulnerability in SSL 3.0 that allows attackers to decrypt encrypted connections to websites.

Hi Jim,

I see that it is actually possible to load (say) this forum via both HTTP and HTTPS. But currently your server does not redirect an HTTP call to an HTTPS call. So currently such discussions about security of HTTPS are rather moot for your site. So perhaps you can clarify if you intend 1) to redirect all HTTP calls to HTTPS, and 2) to disable SSLv3 on your server?

Logged
Author of Whitebear Digital Media Renderer Analyser - http://www.whitebear.ch/dmra.htm
Author of Whitebear - http://www.whitebear.ch/mediaserver.htm
Pages: [1]   Go Up