POODLE SSLv3 vulnerability
Ryan Steinmetz
zi at FreeBSD.org
Wed Oct 15 02:15:14 UTC 2014
On (10/15/14 03:03), Dag-Erling Smørgrav wrote:
>Summary: Google researchers have discovered a plaintext recovery attack
>against SSL 3.0 with no known mitigation.
>
>I would like us to ship Firefox with SSL 3.0 disabled by default. This
>means setting security.tls.version.min to 1, or, in terms of code,
>changing the initial value of PSM_DEFAULT_MIN_TLS_VERSION from 0 to 1 in
>security/manager/ssl/src/nsNSSComponent.cpp. I assume that other
>Mozilla ports use the same code and require the same changes.
>
>Note that this does not preclude the user from changing the setting back
>to 0 in about:config.
>
>I would also like to do the same for Chrome, but I don't know the exact
>procedure and I am unable to find out or test, since Chrome has been
>broken for several months.
>
FireFox devs will be disabling SSLv3 by default in the November release of
Firefox:
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
In the interim, they've released an addon to force TLS only:
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
It might be less surprising if we bundle the addon with the current
installation.
-r
>DES
>--
>Dag-Erling Smørgrav - des at des.no
>_______________________________________________________
>Please think twice when forwarding, cc:ing, or bcc:ing
>ports-security-team messages. Ask if you are unsure.
--
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7
More information about the freebsd-gecko
mailing list