poodle - Padding Oracle On Downgraded Legacy Encryption SSL vulnerability

[bookmarked]

Quote:

Originally Posted by Lynx-lynx

Thanks Rollei but I've already installed the Mozilla patch.

What I'm asking is how would someone know if they had been affected. What symptoms so to speak.

What happens now when you test your updated Firefox? Does it show vulnerable or not? If it's still showing vulnerable, you can either wait a month or change one setting in the about:config page.

Earlier I mixed up the Firefox version number that disabled SSLv3 by default. There was a different important security fix in FF33. I thought it was already fixed because my FF33.0.1 is not vulnerable, but I had forgotten that I manually disabled SSLv3.

Sorry for the confusion.

[rollei]

Does anyone know what should the values of security.tls.version.max and security.tls.version.min be?

I presently have the following:

security.tls.version.max = 3
security.tls.version.min = 0

What should I set the max and min values to?

[bookmarked]

Quote:

Originally Posted by rollei

Does anyone know what should the values of security.tls.version.max and security.tls.version.min be?

I presently have the following:

security.tls.version.max = 3
security.tls.version.min = 0

What should I set the max and min values to?

You only need to change the min value to 1.
Detailed instructions related to POODLE https://scotthelme.co.uk/sslv3-goes-...-off-protocol/
Reference info http://kb.mozillazine.org/Security.tls.version.*

[rollei]

Quote:

Originally Posted by bookmarked

You only need to change the min value to 1.
Detailed instructions related to POODLE https://scotthelme.co.uk/sslv3-goes-...-off-protocol/
Reference info http://kb.mozillazine.org/Security.tls.version.*

Thank you

Set security.tls.version.min = 1

When I run the SSL Labs, it said "Your user agent is not vulnerable."

[rollei]

Quote:

Originally Posted by bookmarked

You only need to change the min value to 1.

Detailed instructions related to POODLE https://scotthelme.co.uk/sslv3-goes-...-off-protocol/
Reference info http://kb.mozillazine.org/Security.tls.version.*

Those links are very helpful with clear and easy to follow instructions. I've fixed my Internet Explorer too.

[shalym]

Quote:

Originally Posted by eschwartz

FF 33.0.2 is vulnerable, Mozilla will disable SSLv3.0 in FF34.

That's odd--I'm running FF32.0.1 and it came up as not vulnerable. Does that mean the poodletest.com is wrong?

Shari

[Lynx-lynx]

@shalym try testing it on one of the other sites.

[shalym]

Quote:

Originally Posted by Lynx-lynx

@shalym try testing it on one of the other sites.

I did. I still got a result of "not vulnerable"

Shari

[Lynx-lynx]

@shalym that's interesting. When I tested my Firefox (same vers as you) I was vulnerable so I installed the patch and then tested it across the 3 differen testing sites all with the same not vulnerable report.

Maybe you should just install the patch anyway.

[shalym]

Quote:

Originally Posted by Lynx-lynx

@shalym that's interesting. When I tested my Firefox (same vers as you) I was vulnerable so I installed the patch and then tested it across the 3 differen testing sites all with the same not vulnerable report.

Maybe you should just install the patch anyway.

Maybe...I know that my IE version came up as vulnerable on the Poodle site, but FF and Chrome did not. I then installed the Microsoft patch for IE, and re-tested, and now all three browsers are showing as not vulnerable.

Maybe I disabled SSL 3.0 in Firefox and Chrome when the vulnerability was first announced, and forgot that I did it?

Shari

[ottdmk]

Well, I just did some research and discovered that when the fine folks on the FreeBSD-Gecko team ported over Firefox 33 they set the preferences to disable SSL v3. Cool. Explains why both test sites told me I wasn't vulnerable.

[rollei]

Quote:

Originally Posted by shalym

Maybe...I know that my IE version came up as vulnerable on the Poodle site, but FF and Chrome did not. I then installed the Microsoft patch for IE, and re-tested, and now all three browsers are showing as not vulnerable.

Maybe I disabled SSL 3.0 in Firefox and Chrome when the vulnerability was first announced, and forgot that I did it?

Shari

@bookmarked has an excellent link here:
https://scotthelme.co.uk/sslv3-goes-...-off-protocol/

The link has a how-to guide on fixing the SSL3.0 issue. Follow through the guide for Firefox and verify that your settings are the same as the guide (security.tls.version.min = 1).

[shalym]

Quote:

Originally Posted by rollei

@bookmarked has an excellent link here:
https://scotthelme.co.uk/sslv3-goes-...-off-protocol/

The link has a how-to guide on fixing the SSL3.0 issue. Follow through the guide for Firefox and verify that your settings are the same as the guide (security.tls.version.min = 1).

Yup--mine is set to "security.tls.version.min = 1" which is why I'm getting an ok from both test sites. Thanks for finding that, rollei. I guess I fixed it already and just forgot that I had.

Shari

[ShimSham]

This is the first, I've ever heard of any of this. My firefox 33.0.2 was vulnerable, I made a change in the settings and now I am not vulnerable. Thanks for the information.

[Lynx-lynx]

I don't know about anyone else but I downloaded the latest Firefox upgrade recently, 33.0.3, and checked against the poodle tests just for the sake of it.

I'm still poodle clear.