securitybreach Posted October 15, 2014 Share Posted October 15, 2014 On a day when system administrators were already taxed addressing several security updates released by Microsoft, Oracle, and Adobe, there is now word of a new security hole discovered in a basic protocol used for encrypting web traffic. Its name is POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, and it was discovered by three Google security researchers—Bodo Moller, Thai Duong, and Krzysztof Kotowicz. They published a paper (.pdf) about it today. POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. It’s not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password. To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you—for example, on the same Starbucks Wi-Fi network you’re using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet. The attack works only on traffic sessions using SSLv3...... http://www.wired.com...oodle-explained Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted October 15, 2014 Share Posted October 15, 2014 Ugh! I sooooo like my klunky old wired Ethernet connections. All this repetitive carp makes me continue to feel not up to handling wifi. It just scares me to death. I have yet to personally own a lappie. I can restrain myself from computing until I get back home... 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted October 15, 2014 Author Share Posted October 15, 2014 You do realize has wifi been widely used since about 1999.. I think your a bit over the top in how you think about Wifi. To each, their own but everything is vulnerable in one way or another. Your ethernet is also vulnerable to attacks. If you are a target, there is always a way in... More info on the attack: How POODLE happened Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 16, 2014 Share Posted October 16, 2014 WiFi is still pretty safe with WPA2/AES. It hasn't been completely cracked like previous versions of WiFi encryption. Since you are on such old hardware, I would make sure that if you do use a laptop, that the wireless card is capable of WPA2/AES. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted October 16, 2014 Author Share Posted October 16, 2014 Well you can still crack WPA2 but not as fast as WEP/WPA1.... Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 16, 2014 Share Posted October 16, 2014 Only partially if I remember correctly... Quote Link to comment Share on other sites More sharing options...
securitybreach Posted October 16, 2014 Author Share Posted October 16, 2014 Only partially if I remember correctly... Trust me, you can.... A simple google search will show you this..... airmon-ng and reaver Quote Link to comment Share on other sites More sharing options...
securitybreach Posted October 17, 2014 Author Share Posted October 17, 2014 US Cert advisory Alert (TA14-290A) SSL 3.0 Protocol Vulnerability and POODLE Attack 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 17, 2014 Share Posted October 17, 2014 Got that via email this morning. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 18, 2014 Share Posted October 18, 2014 Yep... Quote Link to comment Share on other sites More sharing options...
abarbarian Posted October 18, 2014 Share Posted October 18, 2014 I thought poodles were supposed to make good guard dogs not thieves companions !!! 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted October 18, 2014 Author Share Posted October 18, 2014 I thought poodles were supposed to make good guard dogs not thieves companions !!! Right Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted October 24, 2014 Share Posted October 24, 2014 (edited) There is this addon for Firefox: https://addons.mozil...ersion-control/ Worked on the machine I tried it on using poodletest.com to test: https://www.poodletest.com/ BTW I'm understanding that this problem would be universal, i.e. not just a vulnerability of any one particular OS- right? I read somewhere that a new FF release will fix this in about a month... (for browser users) Edited October 24, 2014 by Cluttermagnet Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 24, 2014 Share Posted October 24, 2014 (edited) This is what I saw there with Chromium, Chrome, and Opera in Slackware: Edited October 24, 2014 by V.T. Eric Layton 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 24, 2014 Share Posted October 24, 2014 Oooh, bad news for Firefox, though. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted October 25, 2014 Author Share Posted October 25, 2014 Odd as my firefox and chromium both show "Not Vulnerable". Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 25, 2014 Share Posted October 25, 2014 I'm probably using an old FF. Quote Link to comment Share on other sites More sharing options...
ebrke Posted October 25, 2014 Share Posted October 25, 2014 (edited) I chose to change the value for security.tls.version.min to 1 in FF about:config rather than using the plug-in. My FF shows as not vulnerable at poodletest.com. Edited October 25, 2014 by ebrke Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 26, 2014 Share Posted October 26, 2014 Slackware uses the Extended Support versions of FF, so mine is only version 24.8.1 ESR. Mozilla will issue a patch eventually. Quote Link to comment Share on other sites More sharing options...
ebrke Posted October 26, 2014 Share Posted October 26, 2014 Slackware uses the Extended Support versions of FF, so mine is only version 24.8.1 ESR. Mozilla will issue a patch eventually. Why not change the value in about:config? Quote Link to comment Share on other sites More sharing options...
zlim Posted October 26, 2014 Share Posted October 26, 2014 I changed the value in about:config because we were using FF 28 and PM 24. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 27, 2014 Share Posted October 27, 2014 Why not change the value in about:config? I don't use FF anymore, so why bother? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 31, 2014 Share Posted October 31, 2014 This is what I saw there with Chromium, Chrome, and Opera in Slackware: Same here on the Mac and Debian Wheezy on Google Chrome. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.