Page 1 of 3 123 LastLast
Results 1 to 15 of 43
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Protecting yourself from POODLE attacks




    TOP STORY


    Protecting yourself from POODLE attacks


    By Susan Bradley

    No, this isn't about Fluffy gone rogue. To keep our online browsing safe, we rely heavily security protocols — the "S" in HTTPS.

    But a new exploit — POODLE — shows that commonly used security protocols aren't as secure as we thought; websites and browsers will both need an upgrade.

    The full text of this column is posted at http://windowssecrets.com/top-story/...oodle-attacks/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by Kathleen Atkins; 2014-10-22 at 20:00.

  2. The Following User Says Thank You to Kathleen Atkins For This Useful Post:

    csmart4125 (2014-11-20)

  3. #2
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,756
    Thanks
    171
    Thanked 653 Times in 576 Posts
    Probably a web formatting glitch, but in the shortcut workaround to disable SSL in Chrome, the character before ssl should be TWO hyphens, not an N dash, e.g.:

    --ssl-version-min=tls1

    not –ssl-version-min=tls1


    EDIT: The shortcut target addition is OK if you copy and paste it from the newsletter email; just the web page got two hyphens converted to a dash.

    Bruce
    Last edited by BruceR; 2014-10-23 at 06:11.

  4. #3
    Lounger
    Join Date
    Mar 2010
    Location
    South Melbourne, Victoria, Australia
    Posts
    28
    Thanks
    0
    Thanked 1 Time in 1 Post
    Hi Bruce,
    Wondered if the shortcut could point to tls2 ?
    My understanding is that it would automatically fall back to tls1.1 or tls1 as required if admins are too lazy or busy to implement the latest ?

  5. #4
    Star Lounger
    Join Date
    Dec 2009
    Location
    UK
    Posts
    60
    Thanks
    0
    Thanked 20 Times in 2 Posts
    I tried the test site using up to date chrome (both 32-bit and 64-bit) without the fix described here and it said it was safe.

  6. #5
    4 Star Lounger SpywareDr's Avatar
    Join Date
    Dec 2009
    Location
    Riviera Beach, Maryland, USA
    Posts
    492
    Thanks
    10
    Thanked 52 Times in 43 Posts
    Firefox, SeaMonkey, Pale Moon - Change the value of "0" for "security.tls.version.min" to "1" using about:config.


    Chrome - In HKEY_CLASSES_ROOT, edit the http/shell/open/command from:

    "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"

    to:

    "C:\Program Files\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 -- "%1"

    (Using this registry approach protects all of Chrome, no matter how you open it).


    Internet Explorer - Tools > Internet Options > Advanced tab, scroll all the way down, deselect/uncheck "Use SSL 3.0", click Apply > OK.


    For a simple test, Poodletest.com displays a poodle dog if your browser still supports SSL 3.0, and a Springfield terrier if it doesn’t. On the other hand, Qualys SSL Labs provides a more detailed analysis of the SSL protocols your browser supports.
    Last edited by SpywareDr; 2014-10-23 at 09:00.

  7. #6
    5 Star Lounger
    Join Date
    Nov 2010
    Posts
    665
    Thanks
    1
    Thanked 26 Times in 24 Posts
    Just tried the Chrome fix for Iron Browser and it works with it too. The path's different of course. For my WinXP VM:

    "C:\Program Files\SRWare Iron\chrome.exe" --ssl-version-min=tls1

  8. #7
    New Lounger
    Join Date
    Nov 2013
    Posts
    3
    Thanks
    0
    Thanked 1 Time in 1 Post
    For a simple test, Poodletest.com displays a poodle dog if your browser still supports SSL 3.0, and a Springfield terrier if it doesn’t. On the other hand, Qualys SSL Labs provides a more detailed analysis of the SSL protocols your browser supports.
    I got the terrier (Not Vulnerable) and on the Qualys site I got "Vulnerable" from the same browser (untouched Chrome). I am not sure one should rely of the simple test.....

  9. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Richmond, Virginia
    Posts
    6
    Thanks
    0
    Thanked 2 Times in 1 Post
    Hmmm. Not certain what to make of this as I DO NOT USE ANY of the browsers for which fixes are specifically offered and I do not have but one browser--to the extent that same is possible, I have DISABLE IE. Am I to conclude that browsers that are not specifically mentioned, e.g., Opera, are not at risk? I've also stopped updating Opera because of its penchant to overwrite all the configuration changes I have made to it, so would I need to be concerned about what specific version of ANY BROWSER I might henceforth use?

  10. #9
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    Isn't Opera based of Firefox? Try the 'about:config' in post number five.
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  11. #10
    New Lounger
    Join Date
    Apr 2010
    Location
    Missoula, Montana
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    When I accessed poodletest.com using Firefox, I received the following warning from my antivirus suite:

    "Address:
    http://www.poodletest.com/

    Trend Micro has confirmed that this website can transmit malicious software or has been involved in online scams or fraud.

    Please close this page." Is Susan Bradley aware of this? Is it truly a valid threat? What do you make of it?

  12. #11
    4 Star Lounger SpywareDr's Avatar
    Join Date
    Dec 2009
    Location
    Riviera Beach, Maryland, USA
    Posts
    492
    Thanks
    10
    Thanked 52 Times in 43 Posts
    Poodletest.com
    Known Issues

    Make sure you clear your cache between tests.

    The test requires that you are able to connect to an SSLv3 only site. There are some false positives/false negatives that you may experience. For example, if your connection is slow, the connection to the test site will time out and your browser may wrongly show up as not vulnerable.

    Browser Specific Issues:

    Firefox

    Firefox is picky as to what ciphers it accepts. The test site supports a wide range of ciphers to allow Firefox to connect.

    Safari

    Apple stated that the Safari update released on Oct 17th no longer allows block ciphers via SSLv3. The test site (on purpose) only supports block ciphers as they are vulnerable to POODLE. However, my testing so far shows that Safari will still connect to the test site using ciphers like AES256. Safari should show up as not-vulnerable if it only supports stream ciphers over SSLv3.

    Android

    I am getting some reports of inconsistent and wrong results with Android. Haven't quite been able to reproduce some of the reported issues.

    More Information:

    Acknowledgements:

    Thanks Andreas for suggesting a javascript trick to avoid image caching.

  13. #12
    4 Star Lounger SpywareDr's Avatar
    Join Date
    Dec 2009
    Location
    Riviera Beach, Maryland, USA
    Posts
    492
    Thanks
    10
    Thanked 52 Times in 43 Posts
    .
    DisableSSLv3.com
    A community-powered step-by-step tutorial on disabling the security protocol you now love to hate.

  14. The Following User Says Thank You to SpywareDr For This Useful Post:

    Trev (2014-10-23)

  15. #13
    New Lounger
    Join Date
    Dec 2009
    Location
    Richmond, Virginia
    Posts
    6
    Thanks
    0
    Thanked 2 Times in 1 Post
    Quote Originally Posted by RussB View Post
    Isn't Opera based of Firefox? Try the 'about:config' in post number five.
    Opera was originally developed for Linux, while if I am not mistaken, Firefox is based on Netscape Communicator, so any parallels between them are apt to be largely coincidental.

  16. #14
    4 Star Lounger SpywareDr's Avatar
    Join Date
    Dec 2009
    Location
    Riviera Beach, Maryland, USA
    Posts
    492
    Thanks
    10
    Thanked 52 Times in 43 Posts

  17. #15
    New Lounger
    Join Date
    Dec 2009
    Location
    Chatham, UK
    Posts
    15
    Thanks
    0
    Thanked 6 Times in 4 Posts
    If you are using Firefox or Pale Moon, try the following. Install the Pale Moon Commander add-on. Then select Options, click the Security button, click the SSL tab, and where it says, lowest supported protocol, click on the drop-down box, and select TLS 1.0, and finally the OK button to close the window. That's it!

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •