SSLv3 Vulnerability (CVE-2014-3566, POODLE)
 

anyone have any idea what this new SSLv3 issue might be, as hinted by Krebs?

I've renamed this threads title and stickied it for the time being. Also, with all due respect, I've deleted the attachment as it should remain at the site where it originates for several reasons (see PDF link below).

http://googleonlinesecurity.blogspot...ng-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://www.imperialviolet.org/2014/10/14/poodle.html
http://cve.mitre.org/cgi-bin/cvename...=CVE-2014-3566

*Also note https://www.openssl.org/news/secadv_20141015.txt holds 3 CVEs:
- CVE-2014-3513 (DoS) affecting OpenSSL 1.0.1 before 1.0.1j,
- CVE-2014-3567 (DoS) affecting all 0.9.8, 1.0.0 and 1.0.1 users,
- CVE-2014-3568 affecting all 0.9.8, 1.0.0 and 1.0.1 users.

TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack
 

US-CERT has released the subject Alert: see https://www.us-cert.gov/ncas/alerts/TA14-290A.

The alert includes description, impact and solution information.

Hope this helps some.

and something related..... oh-g, hmmm, its like y2k, but at least y2k provoked millions of $$ to consultants to try and fix the issue before it happened, and yrs prior to 2000. look around, big guys like ahoo, MS, and gool still using SHA1 certs....

https://www.symantec.com/page.jsp?id=sha2-transition
https://blog.mozilla.org/security/20...re-algorithms/
https://www.digicert.com/sha-2-ssl-certificates.htm

Alert (TA14-290A) SSL 3.0 Protocol Vulnerability and POODLE Attack

Original release date: October 17, 2014 | Last revised: December 10, 2014

See revised notice at https://www.us-cert.gov/ncas/alerts/TA14-290A.

Note the recommended SSL versions:

• OpenSSL 1.0.1 users should upgrade to 1.0.1j.
• OpenSSL 1.0.0 users should upgrade to 1.0.0o.
• OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Hope this helps some.