Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Oct 2014 23:05:15 -0700
From: Krassimir Tzvetanov <maillists@...ssi.biz>
To: oss-security@...ts.openwall.com
Subject: Re: SSL POODLE (Truly scary SSL 3.0 vuln)

Agreed: just I think you meant "1": security.tls.version.min == 1 (not 3)...

from: http://kb.mozillazine.org/Security.tls.version.*
---
1

TLS 1.0 is the minimum required / maximum supported encryption protocol.
(This is the current default for the maximum supported version.)
---


Best,

Krassi



On Tue, Oct 14, 2014 at 10:58 PM, <gremlin@...mlin.ru> wrote:

> On 15-Oct-2014 05:28:34 +0000, Sona Sarmadi wrote:
>
>  > A reflection: Maybe we shouldn't post information like this
>  > here or somewhere else which is not published yet even if
>  > the information has leak out? Although all members here are
>  > reliable but it is still an open mailing list and we should
>  > be careful and act more responsible.
>
> Why? Old ciphers are well known as totally insecure (generally
> speaking, even some "new" are insecure as well), so the POODLE
> description does nothing but shows one more attack vector.
>
> The protection against the POODLE is quite simple:
>
> 1. For servers: disable weak encryption (in assumption they are
> updated on a regular basis).
>
> 2. For users: update old software. Alas, fully disabling weak
> encryption (e.g. set security.tls.version.min == 3 in Firefox)
> isn't what we can demand, but that leaves the user personally
> responsible for any and all data leaks.
>
>  >> It's out:
>
> TP detected...
>
>
> --
> Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ