back to article Zombie POODLE wanders in, cocks leg on TLS

Google might have taken POODLE to a distant country road, let it out and driven away fast, but according to Qualys, the vulnerability has returned, repurposed, as an attack on Transaction Layer Security (TLS). Designated CVE-2014-8730, the new attack vector exploits the same class of problem as POODLE: an error in the handling …

  1. Wzrd1

    Whoinhell is using TLS 1.2?

    TLS 3 is the golden standard

  2. Lee D Silver badge

    There seems to be a need for a central page somewhere that says, quite simply:

    What protocols are safe.

    How to configure popular software to use those protocols.

    And it updates, say, once every year or in the event of a major incident.

    Many of the IT people I know aren't aware of these issues, or of the way to avoid them on their networks, and with the ever-changing climate it's important to not carry old knowledge forward.

    I have a browser that let's me checkbox individual SSL/TLS protocols, and I read a fair few tech websites, so I'm fairly confident I'm safe but it would be nice - when setting up a new network - to just have one well-known website to go to that tells me, no, I shouldn't be using WPA or TLS 1.2 or whatever.

    1. Charlie Clark Silver badge

      What protocols are safe?

      That's easy: none.

      The question should be: What protocols are not known to have been broken yet?

      The IETF is probably best placed to manage this assuming sufficient funding is around. We also need to improve the funding for public security research and the development (and intelligent review) of open source stacks. What a pity that the spooks don't realise that this makes things safer for everyone: a smidgen of the NSA's or GCHQ's budget would do wonders.

      1. gnarlymarley Bronze badge

        Has anyone ever realized that the network spies in the the governments around the world are not caring about the encryption on the internet, but they do about the encryption on cell phones? That alone probably means any network encryption has a poodle, even TLSV3

    2. Alan J. Wylie

      Recommended server TLS config

      > There seems to be a need for a central page somewhere that says, quite

      > simply:

      > What protocols are safe

      > How to configure popular software to use those protocols

      https://wiki.mozilla.org/Security/Server_Side_TLS

      is a good start

    3. Irongut

      A couple of cross platform scripts that could test all the major browsers and web servers for compliance would be a lot of help too.

      1. Alan J. Wylie

        > A couple of cross platform scripts that could test all the major browsers

        > and web servers for compliance would be a lot of help too.

        https://www.ssllabs.com/ssltest/

        https://www.ssllabs.com/ssltest/viewMyClient.html

        The server test is already updated to test for CVE-2014-8730

        https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

  3. Owen
    Alert

    For anyone in Oz, get this . . . I reset my browser's security to only accept TLS 1.2:

    Firefox:

    security.tls.version.max 3

    security.tls.version.min 3

    Went to log into "Seek" (a job web site that used to be mostly "technical") - I couldn't access it because there was no security protocol match. I set the lowest encryption level back to TLS 1.0 and ran the test script at www.ssllabs.com/ssltest/analyze.html?d=seek.com.au and wrote to tell "Seek" about it.

    The result: "Our IT team have responded and would like to thank you for the feedback, they are fowwarding this on to the relevant department for future consideration."

    "Awesome" as the colonials here are prone to saying!

    I do hope that Google start down-ranking insecure sites in their search results ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020