[Nottingham] Oodles of poodles make your noodle go cock-a-doodle
Mike Cardwell
nlug at lists.grepular.com
Wed Oct 15 10:02:06 UTC 2014
* on the Wed, Oct 15, 2014 at 10:39:15AM +0100, Jason Irwin wrote:
>> When the server responds with its Server Hello as SSLV3, then the
>> client will then think the server is only capable of it, and will also
>> downgrade to match.
> Unless your browser has been told to not support SSLv3 (standard in FF
> these days, I think IE still uses it by default).
Firefox still has SSLv3 turned on by default. You can turn it off right
now by visiting about:config and setting "security.tls.version.min" to "1"
rather than the default which is "0"
>> This has been known about forever, it's part of the protocol, and
>> required for backwards compatibility, but the requirement of a man in
>> the middle means it's still pretty unlikely.
> Unless a new-and-improved FireSheep does the rounds. Sit in a
> cafe...sniffy-sniffy, cracky-cracky.
The downgrade part isn't the new vulnerability that is being discussed.
It is just a way of forcing people onto SSLv3 so that Poodle can then
be leveraged to read the plain text.
> They do state it's not on the same level as Heartbleed/Shellshock and
> it's trivial for an end-user to protect themselves.
> If they know that they need to....
Those are bugs in software. POODLE is a protocol level bug. A more
suitable comparison would be the BEAST attack. POODLE is just as
bad as BEAST was, except it's easier to pull off.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20141015/962bc5a9/attachment-0001.pgp>
More information about the Nottingham
mailing list