SSL 3.0 vulnerability discovered

Corrine · October 15, 2014, 09:18:53 PM

QuoteA security vulnerability in SSL 3.0 has been uncovered by Bodo Möller and two other Google employees that attackers can exploit to calculate the plaintext of secure connections.

SSL 3.0 is an old protocol and most Internet servers use the newer TLS 1.0, TLS 1.1 or TLS 1.2 protocols instead. Client and server usually agree to use the latest protocol version during connections during protocol handshake but since TLS is backwards compatible with SSL 3.0, it can happen that SSL 3.0 is being used instead.

During the first handshake attempt the highest supported protocol version is offered but if this handshake fails, earlier protocol versions are offered instead.
An attacker controlling the network between the client and server could interfere with the handshake attempt so that SSL 3.0 is used instead of TLS.

Instructions are available at the source on how to protect your web browser. See SSL 3.0 vulnerability discovered. Find out how to protect yourself. Note, however, that the link to test the Protocols includes the caveat, "This test reliably detects only the highest supported protocol." Thus, it reliably detects TLS 1.2, but will not reliably detect if SSL3 is disabled. https://www.ssllabs.com/ssltest/viewMyClient.html

Corrine · October 16, 2014, 01:23:51 AM

https://www.ssllabs.com/ssltest/viewMyClient.html has been updated and now correctly shows "No" for SSL 3.

Digerati · October 16, 2014, 02:52:43 PM

I have disabled 3.0 in my IE with no problems noted - yet.

winchester73 · October 16, 2014, 03:05:45 PM

FF 33:

Digerati · October 16, 2014, 03:15:23 PM

Hmmm, seems to be more than just 3.0.

https://www.us-cert.gov/ncas/current-activity/2014/10/16/OpenSSL-Patches-Four-Vulnerabilities

siljaline · November 05, 2014, 09:09:57 PM

Enable the MS FixIt available here:
https://support.microsoft.com/kb/3009008

FAQ - you generally don't have to undo them as next Patch Tuesday.

JDBush61 · November 06, 2014, 12:44:03 AM

Do folks running Safari on a Mac need to be concerned with this?

I ran the above test(?) [Windows 7, Pale Moon] using the link that Corrine provided and everything seems to be OK.
Is it still necessary to run the MS FixIt?

siljaline · November 06, 2014, 03:39:21 AM

Irrespective of Browser choice - if running a Windows O/S, you need the FixIt in place, ASAP.

siljaline · November 06, 2014, 04:32:50 AM

Bad dog: Redmond's new IE tool KILLS POODLE with one shot

JDBush61 · November 06, 2014, 06:27:12 AM

Quote from: siljaline on November 06, 2014, 03:39:21 AM
Irrespective of Browser choice - if running a Windows O/S, you need the FixIt in place, ASAP.

Thanks. Now fixed.

siljaline · November 06, 2014, 01:33:23 PM

Most welcome. Leave the MS FixIt in-place until MS tells us otherwise.

Lost. · September 17, 2015, 04:26:37 AM

You have to under stand what is going in a encryption vulnerability.

When you go to buy something on-line your connection should be encrypted

If the site is malware infected it can tell your browser to use the lowest encryption say SSl 3

which has been hacked, So the malware infecter will get your credit card info.

If you have an update browser the lowest encrypted it uses will not have been hacked.

This can cause a compatibility problem if a site uses only hacked encryption.

So it does not matter if you run windows,apple,or Linux.