Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[JimH]

http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

As warned by The Register, security researchers have discovered a vulnerability in SSL 3.0 that allows attackers to decrypt encrypted connections to websites.

Miscreants can exploit a weakness in the protocol's design to grab victims' session cookies, which are used for logging into webmail and other online accounts over HTTPS.
 
The attack is, we're told, easy to perform, and can be done on-the-fly using JavaScript – provided you can intercept the victim's packets, perhaps by setting up a malicious Wi-Fi point in a cafe or bar.

[glynor]

Thanks, Jim. To be clear for others: SSLv3 was already broken and largely deprecated.  Now, this attack makes it easier.  Here's another read with more details on how to disable the legacy protocol in your browser:

http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/

[InflatableMouse]

You can go to:

https://www.poodletest.com/

to see which of your browsers are vulnerable and/or to test after you disabled SSLv3 to see if its fixed.

[AndrewFG]

As warned by The Register, security researchers have discovered a vulnerability in SSL 3.0 that allows attackers to decrypt encrypted connections to websites.

Hi Jim,

I see that it is actually possible to load (say) this forum via both HTTP and HTTPS. But currently your server does not redirect an HTTP call to an HTTPS call. So currently such discussions about security of HTTPS are rather moot for your site. So perhaps you can clarify if you intend 1) to redirect all HTTP calls to HTTPS, and 2) to disable SSLv3 on your server?