Author Topic: SSL 3.0 vulnerability discovered  (Read 5344 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19144
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
SSL 3.0 vulnerability discovered
« on: October 15, 2014, 08:18:53 PM »
Quote
A security vulnerability in SSL 3.0 has been uncovered by Bodo Möller and two other Google employees that attackers can exploit to calculate the plaintext of secure connections.

 SSL 3.0 is an old protocol and most Internet servers use the newer  TLS 1.0, TLS 1.1 or TLS 1.2 protocols instead. Client and server usually  agree to use the latest protocol version during connections during  protocol handshake but since TLS is backwards compatible with SSL 3.0,  it can happen that SSL 3.0 is being used instead.

 During the first handshake attempt the highest supported protocol  version is offered but if this handshake fails, earlier protocol  versions are offered instead.
 An attacker controlling the network between the client and server  could interfere with the handshake attempt so that SSL 3.0 is used  instead of TLS.

Instructions are available at the source on how to protect your web browser.  See SSL 3.0 vulnerability discovered. Find out how to protect yourself.  Note, however, that the link to test the Protocols includes the caveat, "This test reliably detects only the highest supported protocol."  Thus, it reliably detects TLS 1.2, but will not reliably detect if SSL3 is disabled.  https://www.ssllabs.com/ssltest/viewMyClient.html


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19144
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: SSL 3.0 vulnerability discovered
« Reply #1 on: October 16, 2014, 12:23:51 AM »
https://www.ssllabs.com/ssltest/viewMyClient.html has been updated and now correctly shows "No" for SSL 3.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Digerati

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 977
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #2 on: October 16, 2014, 01:52:43 PM »
I have disabled 3.0 in my IE with no problems noted - yet.
Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2018

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7178
  • Liverpool FC - YNWA
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #3 on: October 16, 2014, 02:05:45 PM »
FF 33:

Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline Digerati

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 977
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #4 on: October 16, 2014, 02:15:23 PM »
Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2018

Offline siljaline

  • MS MVP Alumni
  • LzD Fallen Heroes
  • Sr. Member
  • *****
  • Posts: 360
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #5 on: November 05, 2014, 07:09:57 PM »
Enable the MS FixIt available here:
https://support.microsoft.com/kb/3009008

FAQ - you generally don't have to undo them as next Patch Tuesday.

siljaline
MVPS Hosts . MBAM . Why ESET

Offline JDBush61

  • Hero Member
  • *****
  • Posts: 4654
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #6 on: November 05, 2014, 10:44:03 PM »
Do folks running Safari on a Mac need to be concerned with this?

I ran the above test(?) [Windows 7, Pale Moon] using the link that Corrine provided and everything seems to be OK.
Is it still necessary to run the MS FixIt?
"In an age when mass society has rendered obsolete the qualities of individual courage and independent thought, the oceans of the world still remain, vast and uncluttered, beautiful but unforgiving, awaiting those who will not submit. Their voyages are not an escape, but a fulfillment."

~ THE SLOCUM SOCIETY ~

Offline siljaline

  • MS MVP Alumni
  • LzD Fallen Heroes
  • Sr. Member
  • *****
  • Posts: 360
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #7 on: November 06, 2014, 01:39:21 AM »
Irrespective of Browser choice - if running a Windows O/S, you need the FixIt in place, ASAP. 
siljaline
MVPS Hosts . MBAM . Why ESET

Offline siljaline

  • MS MVP Alumni
  • LzD Fallen Heroes
  • Sr. Member
  • *****
  • Posts: 360
    • View Profile
siljaline
MVPS Hosts . MBAM . Why ESET

Offline JDBush61

  • Hero Member
  • *****
  • Posts: 4654
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #9 on: November 06, 2014, 04:27:12 AM »
Irrespective of Browser choice - if running a Windows O/S, you need the FixIt in place, ASAP.

Thanks. Now fixed.
"In an age when mass society has rendered obsolete the qualities of individual courage and independent thought, the oceans of the world still remain, vast and uncluttered, beautiful but unforgiving, awaiting those who will not submit. Their voyages are not an escape, but a fulfillment."

~ THE SLOCUM SOCIETY ~

Offline siljaline

  • MS MVP Alumni
  • LzD Fallen Heroes
  • Sr. Member
  • *****
  • Posts: 360
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #10 on: November 06, 2014, 11:33:23 AM »
Most welcome. Leave the MS FixIt in-place until MS tells us otherwise.

siljaline
MVPS Hosts . MBAM . Why ESET

Offline Lost.

  • Full Member
  • ***
  • Posts: 53
    • View Profile
Re: SSL 3.0 vulnerability discovered
« Reply #11 on: September 17, 2015, 03:26:37 AM »
You have to under stand what is going in  a encryption vulnerability.

When you go to buy something on-line your connection should be encrypted

If the site is malware infected it can tell your browser to use the lowest encryption say SSl 3

which has been hacked, So the malware infecter will get your credit card info.

If you have an update browser the lowest encrypted it uses will not have been hacked.

This can cause a compatibility problem if a site uses only hacked encryption.

So it does not matter if you run windows,apple,or Linux.
“One of the biggest challenge in life is to see things for what they are instead of what you want them to be.” ― Saahil Prem