SSLv3 Vulnerability (CVE-2014-3566, POODLE)
anyone have any idea what this new SSLv3 issue might be, as hinted by Krebs?
|
I've renamed this threads title and stickied it for the time being. Also, with all due respect, I've deleted the attachment as it should remain at the site where it originates for several reasons (see PDF link below).
http://googleonlinesecurity.blogspot...ng-ssl-30.html https://www.openssl.org/~bodo/ssl-poodle.pdf https://www.imperialviolet.org/2014/10/14/poodle.html http://cve.mitre.org/cgi-bin/cvename...=CVE-2014-3566 |
*Also note https://www.openssl.org/news/secadv_20141015.txt holds 3 CVEs:
- CVE-2014-3513 (DoS) affecting OpenSSL 1.0.1 before 1.0.1j, - CVE-2014-3567 (DoS) affecting all 0.9.8, 1.0.0 and 1.0.1 users, - CVE-2014-3568 affecting all 0.9.8, 1.0.0 and 1.0.1 users. |
TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack
US-CERT has released the subject Alert: see https://www.us-cert.gov/ncas/alerts/TA14-290A.
The alert includes description, impact and solution information. Hope this helps some. |
and something related..... oh-g, hmmm, its like y2k, but at least y2k provoked millions of $$ to consultants to try and fix the issue before it happened, and yrs prior to 2000. look around, big guys like ahoo, MS, and gool still using SHA1 certs....
https://www.symantec.com/page.jsp?id=sha2-transition https://blog.mozilla.org/security/20...re-algorithms/ https://www.digicert.com/sha-2-ssl-certificates.htm |
Alert (TA14-290A) SSL 3.0 Protocol Vulnerability and POODLE Attack
Original release date: October 17, 2014 | Last revised: December 10, 2014 See revised notice at https://www.us-cert.gov/ncas/alerts/TA14-290A. Note the recommended SSL versions:
|
All times are GMT -5. The time now is 04:20 AM. |