[BlueOnyx:16209] Re: SSL v3 POODLE vulnerability
Dogsbody
dan at dogsbody.org
Fri Oct 17 06:23:41 -05 2014
On 15/10/14 02:17, Michael Stauber wrote:
>
> So as is SSL v3.0 allows snooping via a man-in-the-middle attack.
>
> This is bad enough. They kind of confirm that SSL v3.0 is pretty much
> dead and recommend to move to TLSv1.2 for secure connections. Think
> HTTPS, SMTPS, POP3S, IMAPS and FTPS in our usage cases on BlueOnyx.
A new OpenSSL package was released last night for all all OS's. While
the problem wasn't with OpenSSL (it was with SSL 3) they have added
TLS_FALLBACK_SCSV functionality to the older OpenSSL versions which
helps prevent this attack vector. SSL 3 is still insecure though.
It's not perfect. I still think we should disable SSL 3 but it does
help a lot.
Dan
More information about the Blueonyx
mailing list