Discussion:
Here we go again folks...
(too old to reply)
John Andersen
2014-10-14 18:06:03 UTC
Permalink
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/

The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.

Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or
not far from high noon Pacific Time.
--
_____________________________________
---This space for rent---
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Cristian Rodríguez
2014-10-14 18:20:57 UTC
Permalink
Post by John Andersen
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Why you are using SSL 3 at all ? all major clients support TLS 1.0 since
around a decade or more.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Cristian Rodríguez
2014-10-14 22:41:49 UTC
Permalink
Post by John Andersen
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or
not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a
protocol error.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
John Andersen
2014-10-15 01:19:13 UTC
Permalink
Post by Cristian Rodríguez
Post by John Andersen
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or
not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a
protocol error.
Its a little more complex than a downgrade attack, because it relies on both the ability to
negotiate a downgrade AND a vulnerability is SSL 3.0.

https://www.openssl.org/~bodo/ssl-poodle.pdf

http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html
--
_____________________________________
---This space for rent---
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Cristian Rodríguez
2014-10-15 01:30:16 UTC
Permalink
Post by John Andersen
Post by Cristian Rodríguez
Post by John Andersen
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or
not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a
protocol error.
Its a little more complex than a downgrade attack, because it relies on both the ability to
negotiate a downgrade AND a vulnerability is SSL 3.0.
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html
I think we should patch all clients and servers to disable SSLv3 in
*future* products. maybe ..just maybe by axing SSL v3 support from
openSSL completely.. this may not be an optimum solution because there
is a lot of broken stuff out there..I need to hear security team's take
on this before choosing a course of action for the distribution, for now
it is prudent to disable SSlv3 in your browser of choice.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
John Andersen
2014-10-15 22:50:44 UTC
Permalink
Post by Cristian Rodríguez
Post by John Andersen
Post by Cristian Rodríguez
Post by John Andersen
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or
not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a
protocol error.
Its a little more complex than a downgrade attack, because it relies on both the ability to
negotiate a downgrade AND a vulnerability is SSL 3.0.
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html
I think we should patch all clients and servers to disable SSLv3 in
*future* products. maybe ..just maybe by axing SSL v3 support from
openSSL completely.. this may not be an optimum solution because there
is a lot of broken stuff out there..I need to hear security team's take
on this before choosing a course of action for the distribution, for now
it is prudent to disable SSlv3 in your browser of choice.
Apparently there are fixes available for this already, but
Turns out there is even more to worry about:
http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/

Is LibreSSL an option yet?
--
_____________________________________
---This space for rent---
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Cristian Rodríguez
2014-10-16 04:30:30 UTC
Permalink
Apparently there are fixes available for this already.
There are workarounds but there can't be a "fix" since you can't fix an
old protocol design flaw, one that was already fixed in TLS 1.0.. 15
years ago.

We could remove SSLv3 support entirely.That requires patching, ABI
breaks..etc..unsuitable for released products. I favor this solution for
releases after 13.2..

We could also disable SSlv3 by default without completely removing
SSLv3, that is doable without much hassle, though it might prevent users
from connecting to a tiny corner of the internet (0.4-0.7 of servers do
not support TLS v1.0) . I only agree with taking this route with
already released or soon to be released versions.
http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/
Is LibreSSL an option yet
I don't think so.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Loading...