POODLE: A new SSL vulnerability

by
in security on (#2TCV)
story imageForbes has a lovely if disjointed writeup; The Register is considerably more dramatic. The gist: your browser likely still allows the use of old SSL standards, which are now proven vulnerable to a lovely new bug which could, in the worst case, give an attacker your cookies. From there, your sessions are at risk, along with anything you'd prefer to keep to yourself online.

The makers of Chrome seem to be saying that the issue has been fixed in Chrome since February, but as of this morning, the Poodle Test still showed Chrome as vulnerable. Firefox expects to have a fix in version 34, due Nov 25. In the meantime, according to the Forbes article, you can open about:config and change the setting security.tls.version.min to 1. This does cause Firefox to pass the test. Microsoft and Apple have not addressed the issue as of this writing. Internet Explorer does have an option to disable SSL 3.0 in its more recent versions (naturally set to "enabled" by default), but IE6 users are out in the cold; Safari users are vulnerable and must wait for a fix from Apple.

Thunderbird ? (Score: 1)

by seriously@pipedot.org on 2014-10-15 19:24 (#2TCZ)

Thunderbird being based on the same technology as Firefox, can it be considered vulnerable too ? it seems the vulnerability "only" requires javascript enabled (which I believe is the default for TB)

On an unrelated side note: there is an interesting and detailed technical explanation of POODLE available at openssl.org (pdf file)
Post Comment
Subject
Comment
Captcha
Which of thirty nine, ninety four, forty, twenty two or 22 is the biggest?