POODLE: A new SSL vulnerability

by
in security on (#2TCV)
story imageForbes has a lovely if disjointed writeup; The Register is considerably more dramatic. The gist: your browser likely still allows the use of old SSL standards, which are now proven vulnerable to a lovely new bug which could, in the worst case, give an attacker your cookies. From there, your sessions are at risk, along with anything you'd prefer to keep to yourself online.

The makers of Chrome seem to be saying that the issue has been fixed in Chrome since February, but as of this morning, the Poodle Test still showed Chrome as vulnerable. Firefox expects to have a fix in version 34, due Nov 25. In the meantime, according to the Forbes article, you can open about:config and change the setting security.tls.version.min to 1. This does cause Firefox to pass the test. Microsoft and Apple have not addressed the issue as of this writing. Internet Explorer does have an option to disable SSL 3.0 in its more recent versions (naturally set to "enabled" by default), but IE6 users are out in the cold; Safari users are vulnerable and must wait for a fix from Apple.

IE6? (Score: 1)

by zafiro17@pipedot.org on 2014-10-15 17:13 (#2TCW)

IE6 users have been out in the cold for a long time now, and for more reasons than just this. I love old tech as much as the next guy, but browsing with an old browser is asking for trouble, and IE6 is very, very old. (too lazy to look it up, but it's got to be 10 years old at this point, if not more). Hell, even IE8 is considered too old now; Opera for Linux at 12 is considered abandon-ware (sniff sniff), and Konqueror while great for intranet/SFTP and the like, is too unsafe to take on line, it would seem. I know it chokes on some basic CSS, which is a bad sign.
Post Comment
Subject
Comment
Captcha
10 plus 1 is what?