D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Disabling SSLv3 everywhere

 

On 15/10/14 07:48, Martijn Grooten wrote:
> 
> I do think attacking IMAP/POP3 is pretty difficult though, thus making
> the issue a lot less urgent than on web browsers and servers.

Yes, web servers are all done.

Browsers are more mixed....

Firefox: about:config, "security.tls.min.version 1" ( 1 = "TLSv1.0",
whilst there search for "rc4" if you are really paranoid, and disable
those ciphers).

Chrome needs command line arguments for everything. Google say they will
disable it, but the latest Chrome release was catching up with Adobe
Flash issues.

Chrome also isn't doing revocation checking, but does has an XSS
auditor, you pays your money and takes your choice. I run Firefox
without Flash or Java where it matters most to me, and have hardened the
TLS settings, and some others, but lets not kid ourselves it is still
hideously vulnerable.

I'm taking the opportunity to ditch SSLv3 from everything. Various
recommendations were saying it is old, and a bit rough around the edges,
so this issue is good opportunity to bury it.

Fortunately I'd done IMAP4S and POP3S, so I got stunnel working with
regular protocols easily enough.

Not sure from description how hard it is to exploit in other protocols.
Sounds like it would need a contrived situation to make it work against
mail protocols, but I can imagine if you can force repeated sending of
an email (or repeated fetching of emails?), it might be possible to use
a similar attack to reveal email credential, but probably by that point
most attackers have what they need (new spam source), since you've
probably already sent 100,000s of emails. Not sure what impact date/time
stamps and the like have, but fairly sure with the details out there it
will be ripped open quickly if there is a way.



-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq