BeerCan
Guru
- Joined
- Nov 25, 2008
- Messages
- 175
- Reaction score
- 30
New security issue to be aware of. Don't know that this one is going to be to large as it seems most modern browsers may already address this but if you use sslv3 anywhere you might want to investigate further. My Firefox was good but Chrome browser failed
https://www.sans.org/webcasts/about-poodle-99032
https://www.poodletest.com/
Some stuff I cut from another thread.
https://www.sans.org/webcasts/about-poodle-99032
https://www.poodletest.com/
Some stuff I cut from another thread.
Code:
Is this OpenSSL/GnuTLS/browser specific?
No. It's a protocol (design) bug, not an implementation bug. This means you can't really patch it (unless you're changing the design of the old SSLv3).
Is it relevant for HTTPS only or also for IMAP/SMTP/OpenVPN and other protocols with SSL support?
The current attack vector as shown by the researchers works with controlling the plaintext sent to the server using Javascript being run on the victim's machine. This vector does not apply to non-HTTPS scenarios without using a browser.
Also, normally an SSL client doesn't allow the session to be downgraded to SSLv3 (having TLSv1+ seen in the handshake capabilities), but browsers want to be very backward compatible and the do. The combination with controlling plaintext and the specific way a HTTP header is built up makes it exploitable.
Conclusion: disable SSLv3 for HTTPS now, disable SSLv3 for other services in your next service window.