Announcement

Collapse
No announcement yet.

The death of SSL

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    The death of SSL

    Posted by deathpanels

    POODLE (Padding Oracle On Downgraded Legacy
    Encryption)     is the latest exploit found in SSL, a protocol used widely across the Internet for secure connections.

    Engineers at Google discovered the exploit, and they have written a white paper discussing it.

    In response, Google is disabling SSL in all Google products. Some are calling this the death of SSL.

    For web users, disabling SSL in your browser is recommended.

    Here is a tool to identify if your browser is potentially affected by the POODLE exploit.

    https://addons.mozilla.org/en-US/fir...rsion-control/
    The Hackmaster
    Tags: security, ssl
  • #2
    i can't disable SSL on my Windows 7.

    it would take forever to find one on my PC

    Comment

    • #3
      Sly, see here: https://zmap.io/sslv3/browsers.html

      Opera (Presto users): Ctrl + F12 -> Advanced -> Security -> Security Protocols -> uncheck Enable SSL 3 -> OK (both times) -> Restart browser.

      Comment

      • #4
        Us chrome users don't have to worry.

        Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).

        SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

        Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to supportTLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

        Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.

        In the coming months, we hope to remove support for SSL 3.0 completely from our client products.

        Thank you to all the people who helped review and discuss responses to this issue.

        Posted by Bodo Möller, Google Security Team

        [Updated Oct 15 to note that SSL 3.0 is nearly 18 years old, not nearly 15 years old.]
        http://googleonlinesecurity.blogspot...ng-ssl-30.html
        Video Game Chat

        Comment

        • #5
          So much for that 128bit encryption or whatever SSL provided.
          Spoiler Alert! Click to view...

          THE BAD GUY!!!!!!

          Comment

          Previous template Next
          Working...
          X