back to article Man bites dog: HTTPS-menacing POODLE is 'hard to exploit' – unless you're on public Wi-Fi

Mozilla will ditch support for the insecure SSL 3.0 from Firefox next month, following the discovery of a design flaw in the protocol that allows hackers to hijack victims' online accounts. SSL v3 will be disabled by default in Firefox 34, due to be released on 25 November. Security experts are unanimous that sysadmins and …

  1. Anonymous Coward
    Anonymous Coward

    Use a VPN

    I always use a VPN on public wifi, such as citizenvpn.com.

    1. Anonymous Coward
      FAIL

      Re: Use a VPN

      And if it isn't IPSEC, you're still hosed. Besides, they have your vpn password because you typed it in in view of the CCTV cameras.

  2. Dan 55 Silver badge

    Another tester is at http://zmap.io/sslv3/.

    To fix Firefox and Firefox Mobile v33 and below now set security.tls.version.min to 1 in about:config and Shift-refresh the test page.

  3. jgarbo
    Linux

    Just test Palemoon 24.6.2 (x86) - OK, Firefox 32 - Vulnerable!, Chrome 38 - Vulnerable!

  4. Justin Case

    Every cloud...

    "Disabling SSLv3 completely is likely to break Internet Explorer 6."

    ...has a silver lining

    1. Anonymous Coward
      Anonymous Coward

      Re: Every cloud...

      I disagree, I think its a gold lining.

  5. John B Stone

    Note that early versions of poodletest showed recent Firefox versions as _not_ vulnerable incorrectly and that has now been fixed.

    There are not too difficult end user fixes for Firefox, Chrome and IE.

    IE: on the Internet Options-Advanced tab untick "Use SSL 3.0" and apply

    Firefox: (as mentioned above) type about:config in the URL and then find and double click security.tls.version.min and set it to 1

    Chrome - slightly harder as you need to add a parameter to the command line in the shortcut you use to launch chrome. Add " --ssl-version-min=tls1" to the end of the shortcut's properties/target line after "\chrome.exe"

    After all of those you should restart the browser and retest. For some reason I had to logout/in to make the chrome change work.

    Its possible some websites wont work after that, though I haven't found any yet, I have noticed some authentication failures that require a retry.

  6. This post has been deleted by its author

  7. Charlie Clark Silver badge

    Yes, but…

    Even if the threat in this instance is perhaps not so great, the almost universal reaction as "it's time to dump SSL v3.0" is welcome. Maybe we'll move onto removing some more long deprecated stuff before they cause problems.

  8. codebeard

    1989 called El Reg...

    ... they want their insecure HTTP back.

    Exploits like this are really only possible because so many websites don't support HTTPS in the first place. For example, this website. Without a plain HTTP page to inject code into, there is not a practical way for POODLE to operate. If the internet would please get off its backside and make connections encrypted by default (this is a post-Snowden world, after all), it actually wouldn't matter if we all used SSL 3.0 – there'd be little way to exploit it (at least without collusion between a site that the user has open and the evil people intercepting their network connection).

    1. Anonymous Coward
      Anonymous Coward

      Re: 1989 called El Reg...

      there is not a practical way for POODLE to operate.

      I resemble that remark.

      My ISP provides me with the shittiest access point that their procurement people were able to source globally, one can safely assume that it is a virtual Chinese Fortune Cookie of 'spoits and backdoors (that will never be fixed,' cause the software is flashed in and the support outsourced to bumbay).

      ... And ... My ISP works for FRA, which works for the NSA, who works for our Demonic Overlords.

      Which part isn't practical?

  9. PeteA
    WTF?

    There is no easy workaround ??

    There is no easy workaround or patch: SSL 3.0 needs to be deactivated entirely to stop snoopers compromising HTTPS connections

    Doesn't disabling it in a config file / the registry class as an easy workaround? If it doesn't, then what on earth does? You definitely don't want to be using a GUI if you're making the changes on 600 servers (internal security matters, too). If you're thinking of it from the client viewpoint, then just turn it off in your browser. If you're using mobile applications to do anything security-sensitive, you need your head examining anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020