A blog about SCAMP (Small Craft Advisor Magazine Project) boats. Covering the build, sailing the boat and the scamp community that has formed around this little portly boat.

Tuesday, October 14, 2014

CVE-2014-3566 POODLE

Some vulnerability details were released today about the POODLE vulnerability.
That poor dog

I've done some analysis for users of F5's BIG-IP and posted it.

The short story is that POODLE exploits something we've known about for some time. There is the bit about forcing clients to fallback to the older SSLv3 protocol. That's rather clever but not really novel.
If you run a server, you should disable SSLv3. There are lots of ways to do that. Frankly, you should disable TLSv1.0 also and support only TLS1.2 for reasons I blogged about 18 months ago.

The frustrating part is that as a consumer there isn't much you can do about this at all. My version of Safari won't let me disable SSLv3. At least I can't find how to do it. Chrome and FF will probably update themselves eventually.

This has been an interesting year in my field.

No comments:

Post a Comment