POODLE: A new SSL vulnerability

by
in security on (#2TCV)
story imageForbes has a lovely if disjointed writeup; The Register is considerably more dramatic. The gist: your browser likely still allows the use of old SSL standards, which are now proven vulnerable to a lovely new bug which could, in the worst case, give an attacker your cookies. From there, your sessions are at risk, along with anything you'd prefer to keep to yourself online.

The makers of Chrome seem to be saying that the issue has been fixed in Chrome since February, but as of this morning, the Poodle Test still showed Chrome as vulnerable. Firefox expects to have a fix in version 34, due Nov 25. In the meantime, according to the Forbes article, you can open about:config and change the setting security.tls.version.min to 1. This does cause Firefox to pass the test. Microsoft and Apple have not addressed the issue as of this writing. Internet Explorer does have an option to disable SSL 3.0 in its more recent versions (naturally set to "enabled" by default), but IE6 users are out in the cold; Safari users are vulnerable and must wait for a fix from Apple.
Reply 14 comments

IE6? (Score: 1)

by zafiro17@pipedot.org on 2014-10-15 17:13 (#2TCW)

IE6 users have been out in the cold for a long time now, and for more reasons than just this. I love old tech as much as the next guy, but browsing with an old browser is asking for trouble, and IE6 is very, very old. (too lazy to look it up, but it's got to be 10 years old at this point, if not more). Hell, even IE8 is considered too old now; Opera for Linux at 12 is considered abandon-ware (sniff sniff), and Konqueror while great for intranet/SFTP and the like, is too unsafe to take on line, it would seem. I know it chokes on some basic CSS, which is a bad sign.

Re: IE6? (Score: 4, Interesting)

by kerrany@pipedot.org on 2014-10-15 18:08 (#2TCY)

2001. Yeah, 2001. Worldwide market share: 3.8%. China uses it quite a bit, though, 11.1% of their users. I wonder what this has to do with the large number of attacks I get on servers I host from Chinese IPs tossing me an IE6 user agent - I strongly suspect it's script kiddy tools tossing out a false UA. China makes up the majority of IE6 users, and honestly, I block the whole country via firewall anyway on the principle that my company doesn't do business there. I feel a bit bad doing that, but considering how much trouble I get from those IPs, it's just not worth it.

Re: IE6? (Score: 1, Interesting)

by Anonymous Coward on 2014-10-15 22:38 (#2TD6)

Yeah, I think that's fair. In my experience, the people from China we do business with have non Chinese Ip addresses that they source from ( to get around the Great Firewall).

Thunderbird ? (Score: 1)

by seriously@pipedot.org on 2014-10-15 19:24 (#2TCZ)

Thunderbird being based on the same technology as Firefox, can it be considered vulnerable too ? it seems the vulnerability "only" requires javascript enabled (which I believe is the default for TB)

On an unrelated side note: there is an interesting and detailed technical explanation of POODLE available at openssl.org (pdf file)

Re: Thunderbird ? (Score: 0)

by Anonymous Coward on 2014-10-15 20:04 (#2TD0)

Do you mean Seamonkey (and other Mozilla based browser)? Probably, yeah.

Or do you mean that an HTML e-mail message can be exploited? Hmm.

Re: Thunderbird ? (Score: 1)

by bryan@pipedot.org on 2014-10-15 21:19 (#2TD3)

Pretty sure that Thunderbird disables javascript on HTML emails. Otherwise, that would be a pretty big exploit on its own.

ballsack (Score: -1, Troll)

by Anonymous Coward on 2014-10-15 20:58 (#2TD2)

i'm tired of slapping my ballsack

older FF (Score: 1, Interesting)

by Anonymous Coward on 2014-10-15 21:24 (#2TD4)

In Firefox 26.0 (a reasonably stable older version) I first changed "security.tls.version.min" from 0 to 1. Ran the Poodle test and was not vulnerable.

Perhaps stupidly(??) I then changed back to 0 and re-ran Poodle, now I'm vulnerable, OK so far, that makes some sense.

*** Changed back to 1 and still vulnerable (wtf?)
Restarted Firefox with it set to 1, still vulnerable...

Any idea what is going on here? Do I have to reboot WinXP?

Re: older FF (Score: 2, Informative)

by Anonymous Coward on 2014-10-16 01:50 (#2TD7)

Obvious suggestion, clear your cache?

Also try rebooting; Mozilla likes to leave processes running in memory, so your settings may not have really reloaded when you thought you restarted the browser.

Re: older FF (Score: 1, Informative)

by Anonymous Coward on 2014-10-16 04:13 (#2TDB)

Cleared the "Cached Web Content" and now Poodle reports not vulnerable.
Thanks!

Not a poodle (Score: 1)

by zafiro17@pipedot.org on 2014-10-16 14:53 (#2TDT)

Not sure how that graphic came about, but hopefully I'm not the only one who noticed that's a Jack Russell Terrier, not a Poodle.

But whatever.

Re: Not a poodle (Score: 2, Informative)

by Anonymous Coward on 2014-10-16 16:26 (#2TDW)

The test site shows a poodle when you're vulnerable and a jack Russell when you're not.

Busted (Score: 2, Funny)

by zafiro17@pipedot.org on 2014-10-16 16:35 (#2TDX)

Dang it, I got poodles on both IE and Chrome at work. What an ugly looking dog! What a disappointment!

Re: Busted (Score: 1, Funny)

by Anonymous Coward on 2014-10-16 20:54 (#2TE2)

If a cute dog wants my cookies he can have them. :) I'm not usually stupid enough to let my browser remember my passwords and... oops just remembered I use Seamonkey and I let it remember my e-mail passwords!

Down doggie, good doggie....