[opensuse] Here we go again folks...
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_t... The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent. Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 14/10/14 a las #4, John Andersen escribió:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_t...
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Why you are using SSL 3 at all ? all major clients support TLS 1.0 since around a decade or more. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 14/10/14 a las #4, John Andersen escribió:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_t...
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a protocol error. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/14/2014 3:41 PM, Cristian Rodríguez wrote:
El 14/10/14 a las #4, John Andersen escribió:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_t...
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a protocol error.
Its a little more complex than a downgrade attack, because it relies on both the ability to negotiate a downgrade AND a vulnerability is SSL 3.0. https://www.openssl.org/~bodo/ssl-poodle.pdf http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploi... -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 14/10/14 a las #4, John Andersen escribió:
On 10/14/2014 3:41 PM, Cristian Rodríguez wrote:
El 14/10/14 a las #4, John Andersen escribió:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_t...
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a protocol error.
Its a little more complex than a downgrade attack, because it relies on both the ability to negotiate a downgrade AND a vulnerability is SSL 3.0.
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploi...
I think we should patch all clients and servers to disable SSLv3 in *future* products. maybe ..just maybe by axing SSL v3 support from openSSL completely.. this may not be an optimum solution because there is a lot of broken stuff out there..I need to hear security team's take on this before choosing a course of action for the distribution, for now it is prudent to disable SSlv3 in your browser of choice. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/14/2014 6:30 PM, Cristian Rodríguez wrote:
El 14/10/14 a las #4, John Andersen escribió:
On 10/14/2014 3:41 PM, Cristian Rodríguez wrote:
El 14/10/14 a las #4, John Andersen escribió:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_t...
The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.
It is just a practical SSL downgrade attack..not a library bug but a protocol error.
Its a little more complex than a downgrade attack, because it relies on both the ability to negotiate a downgrade AND a vulnerability is SSL 3.0.
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploi...
I think we should patch all clients and servers to disable SSLv3 in *future* products. maybe ..just maybe by axing SSL v3 support from openSSL completely.. this may not be an optimum solution because there is a lot of broken stuff out there..I need to hear security team's take on this before choosing a course of action for the distribution, for now it is prudent to disable SSlv3 in your browser of choice.
Apparently there are fixes available for this already, but Turns out there is even more to worry about: http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/ Is LibreSSL an option yet? -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 15/10/14 a las #4, John Andersen escribió:
Apparently there are fixes available for this already.
There are workarounds but there can't be a "fix" since you can't fix an old protocol design flaw, one that was already fixed in TLS 1.0.. 15 years ago. We could remove SSLv3 support entirely.That requires patching, ABI breaks..etc..unsuitable for released products. I favor this solution for releases after 13.2.. We could also disable SSlv3 by default without completely removing SSLv3, that is doable without much hassle, though it might prevent users from connecting to a tiny corner of the internet (0.4-0.7 of servers do not support TLS v1.0) . I only agree with taking this route with already released or soon to be released versions.
Turns out there is even more to worry about: http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/
Is LibreSSL an option yet
I don't think so. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Cristian Rodríguez -
John Andersen