Date: Tue, 14 Oct 2014 23:05:15 -0700 From: Krassimir Tzvetanov <maillists@...ssi.biz> To: oss-security@...ts.openwall.com Subject: Re: SSL POODLE (Truly scary SSL 3.0 vuln) Agreed: just I think you meant "1": security.tls.version.min == 1 (not 3)... from: http://kb.mozillazine.org/Security.tls.version.* --- 1 TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.) --- Best, Krassi On Tue, Oct 14, 2014 at 10:58 PM, <gremlin@...mlin.ru> wrote: > On 15-Oct-2014 05:28:34 +0000, Sona Sarmadi wrote: > > > A reflection: Maybe we shouldn't post information like this > > here or somewhere else which is not published yet even if > > the information has leak out? Although all members here are > > reliable but it is still an open mailing list and we should > > be careful and act more responsible. > > Why? Old ciphers are well known as totally insecure (generally > speaking, even some "new" are insecure as well), so the POODLE > description does nothing but shows one more attack vector. > > The protection against the POODLE is quite simple: > > 1. For servers: disable weak encryption (in assumption they are > updated on a regular basis). > > 2. For users: update old software. Alas, fully disabling weak > encryption (e.g. set security.tls.version.min == 3 in Firefox) > isn't what we can demand, but that leaves the user personally > responsible for any and all data leaks. > > >> It's out: > > TP detected... > > > -- > Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> > GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ