[ SHOWGSD-L ] Re: poodle attacK

  • From: edwinx@xxxxxxxxxxx
  • To: "" <wynsum@xxxxxxx>, "" <Showgsd-l@xxxxxxxxxxxxx>
  • Date: Wed, 3 Dec 2014 16:52:48 +0000 (UTC)

Say what?????.  Sometimes if wish I would have lived during the cave-man era
, no riots, bombing, FB, kibble or computer  viruses! Oy vey!  
Sent from Xfinity Connect Mobile App


------ Original Message ------

From: Doc Zoe
To: freelist
Sent: December 3, 2014 at 6:33 AM
Subject: [ SHOWGSD-L ] poodle attacK

October 15, 2014 , 10:35 am
With details of the new POODLE attack on SSLv3 now public, browser vendors
are in the process of planning how they’re going to address the issue in
their products in a way that doesn’t break the Internet for millions of u
sers but still provides protection.

The attack, which was disclosed by a trio of Google security researchers on
Tuesday, allows an attacker on the same network as a victim to decrypt
sensitive data that’s protected by SSLv3 encryption. It can be executed in
the background and takes advantage of the fact that when a client tries to
establish a secure connection to a server and fails, the server will attempt
to make the connection using a different protocol, a process known a
s falling back. An attacker can force an unsuccessful connection and make
theserver use SSLv3, and then execute the attack.

Officials at Mozilla said that although Firefox only uses SSLv3 for about
0.3percent of 
transactions globally, the POODLE attack still represents a significant
threat to users. The 
company is planning to remove the vulnerable protocol from Firefox by the
endof next month.
“SSLv3 will be disabled by default in Firefox 34, which will be released
onNov 25.”

“SSLv3 will be disabled by default in Firefox 34, which will be released
onNov 25. The code to 
disable it is landing today in Nightly, and will be promoted to Aurora and
Beta in the next few 
weeks. This timing is intended to allow website operators some time to
upgrade any servers that 
still rely on SSLv3,” Richard Barnes of Mozilla said in a blog post.

“As an additional precaution, Firefox 35 will support a generic TLS
downgrade protection mechanism known as SCSV. If this is supported by the
server, it prevents attacks that rely on insecure fallback.”

Google security officials said that Chrome has supported the SCSV mechanism
since February, but warned that disabling SSLv3 will cause problems for site
owners who still support the protocol.

“Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is
sufficientto mitigate this issue, but presents significant compatibility
problems, even today. Therefore our recommended response is to support
TLS_FALLBAC
K_SCSV. This is a mechanism that solves the problems caused by retrying
failed connections and thus prevents attackers from inducing browsers to use
SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so m
ay help prevent future attacks,” said Bodo Möller, one of the Google
researchers who developed the attack.

“Google Chrome and our servers have supported TLS_FALLBACK_SCSV since
February and thus we have good evidence that it can be used without
compatibility problems. Additionally, Google Chrome will begin testing
changes toda
y that disable the fallback to SSL 3.0. This change will break some sites
andthose sites will need to be updated quickly.”

Microsoft issued an advisory about the POODLE attack on Tuesday but didn’t
announce any 
specific plans for disabling the protocol in Windows or Internet Explorer.
IE6, an ancient version 
of the company’s browser, is the only major browser that doesn’t support
anything newer than 
SSLv3.

“This is an industry-wide vulnerability affecting the SSL 3.0 protocol
itself and is not specific to 
the Windows operating system. All supported versions of Microsoft Windows
implement this 
protocol and are affected by this vulnerability. Microsoft is not aware of
attacks that try to use 
the reported vulnerability at this time. Considering the attack scenario,
this vulnerability is not 
considered high risk to customers,” Microsoft’s advisory says.


Dr Zoe Backman
http://wynsumgsd.com
============================================================================
POST is Copyrighted 2014.  All material remains the property of the original
author and of GSD Communication, Inc. NO REPRODUCTIONS or FORWARDS of any
kind are permitted without prior permission of the original author AND of
theShowgsd-l Management. ALL RIGHTS RESERVED. 

Each Author is responsible for the content of his/her post.  This group and
its administrators are not responsible for the comments or opinions
expressedin any post.

ALL PERSONS ARE ON NOTICE THAT THE FORWARDING, REPRODUCTION OR USE IN ANY
MANNER OF ANY MATERIAL WHICH APPEARS ON SHOWGSD-L WITHOUT THE EXPRESS
PERMISSION OF ALL PARTIES TO THE POST AND THE LIST MANAGEMENT IS EXPRESSLY
FORBIDDEN, AND IS A VIOLATION OF LAW. VIOLATORS OF THIS PROHIBITION WILL BE
PROSECUTED. 

For assistance, please contact the List Management at admin@xxxxxxxxxxx

VISIT OUR WEBSITE - http://showgsd.org  SUBSCRIPTION:
http://showgsd.org/mail.html
NATIONAL BLOG - http://gsdnational.blogspot.com/
============================================================================


============================================================================
POST is Copyrighted 2014.  All material remains the property of the original 
author and of GSD Communication, Inc. NO REPRODUCTIONS or FORWARDS of any kind 
are permitted without prior permission of the original author AND of the 
Showgsd-l Management. ALL RIGHTS RESERVED. 

Each Author is responsible for the content of his/her post.  This group and its 
administrators are not responsible for the comments or opinions expressed in 
any post.

ALL PERSONS ARE ON NOTICE THAT THE FORWARDING, REPRODUCTION OR USE IN ANY 
MANNER OF ANY MATERIAL WHICH APPEARS ON SHOWGSD-L WITHOUT THE EXPRESS 
PERMISSION OF ALL PARTIES TO THE POST AND THE LIST MANAGEMENT IS EXPRESSLY 
FORBIDDEN, AND IS A VIOLATION OF LAW. VIOLATORS OF THIS PROHIBITION WILL BE 
PROSECUTED. 

For assistance, please contact the List Management at admin@xxxxxxxxxxx

VISIT OUR WEBSITE - http://showgsd.org  SUBSCRIPTION: 
http://showgsd.org/mail.html
NATIONAL BLOG - http://gsdnational.blogspot.com/
============================================================================

Other related posts: