[OpenIndiana-discuss] SSL 3 POODLE security bug

[Fred Kimball]

The security issues keep coming. Another one just issued is for SSL 3, an 18 year-old protocol. It's called POODLE (Padding Oracle On Downgraded Legacy Encryption) that was discovered by Google engineers. Mozilla plans to eliminate SSL 3 in Firefox 34 which is expected to be released Nov. 25. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ I used to use Opera before they discontinued Solaris support. They too plan to eliminate SSL 3 at some point in the future. For now they have implemented a workaround that splits the SSL records. http://blogs.opera.com/security/

>From the Opera blog: "Opera also supports the TLS_FALLBACK_SCSV mechanism. This is a security feature, if supported by both browser and server, that effectively stops unwanted fallbacks to lower TLS versions. Sadly, this feature is not widely supported yet, but we hope that server administrators pay attention to this attack and will upgrade their servers to support it. This way, future problems with higher TLS versions will not have the same devastating effect."

The reason SSL hasn't been eliminated is probably to keep IE6 from not being able to access https pages. When SSL 3 is eliminated in Firefox, it's probably going to cause major headaches due to servers that want to fallback to and use SSL 3.


A post in the Mozilla blog suggested to disable SSL by going to about:config. There are 27 and several are disabled by default. I toggled all of the others to False. Then I could not access the Mozilla site. I had to make a payment and after filling out the form, got an empty cart. I guessed and toggled security.ssl3.dhe_rsa_aes_256_sha to True and completed the purchase. Can also access the Mozilla blog with this turned on. Got an ssl error going to Facebook. One more guess and toggled security.ssl3.rsa_aes_256_sha to True and reloaded successfully. I now have just those two enabled.

Regards,
Fred Kimball