POODLE: A new SSL vulnerability

by
in security on (#2TCV)
story imageForbes has a lovely if disjointed writeup; The Register is considerably more dramatic. The gist: your browser likely still allows the use of old SSL standards, which are now proven vulnerable to a lovely new bug which could, in the worst case, give an attacker your cookies. From there, your sessions are at risk, along with anything you'd prefer to keep to yourself online.

The makers of Chrome seem to be saying that the issue has been fixed in Chrome since February, but as of this morning, the Poodle Test still showed Chrome as vulnerable. Firefox expects to have a fix in version 34, due Nov 25. In the meantime, according to the Forbes article, you can open about:config and change the setting security.tls.version.min to 1. This does cause Firefox to pass the test. Microsoft and Apple have not addressed the issue as of this writing. Internet Explorer does have an option to disable SSL 3.0 in its more recent versions (naturally set to "enabled" by default), but IE6 users are out in the cold; Safari users are vulnerable and must wait for a fix from Apple.

Re: IE6? (Score: 4, Interesting)

by kerrany@pipedot.org on 2014-10-15 18:08 (#2TCY)

2001. Yeah, 2001. Worldwide market share: 3.8%. China uses it quite a bit, though, 11.1% of their users. I wonder what this has to do with the large number of attacks I get on servers I host from Chinese IPs tossing me an IE6 user agent - I strongly suspect it's script kiddy tools tossing out a false UA. China makes up the majority of IE6 users, and honestly, I block the whole country via firewall anyway on the principle that my company doesn't do business there. I feel a bit bad doing that, but considering how much trouble I get from those IPs, it's just not worth it.
Post Comment
Subject
Comment
Captcha
4, 37, five, 20 and thirty six: the 4th number is?