Use a VPN
I always use a VPN on public wifi, such as citizenvpn.com.
Mozilla will ditch support for the insecure SSL 3.0 from Firefox next month, following the discovery of a design flaw in the protocol that allows hackers to hijack victims' online accounts. SSL v3 will be disabled by default in Firefox 34, due to be released on 25 November. Security experts are unanimous that sysadmins and …
Note that early versions of poodletest showed recent Firefox versions as _not_ vulnerable incorrectly and that has now been fixed.
There are not too difficult end user fixes for Firefox, Chrome and IE.
IE: on the Internet Options-Advanced tab untick "Use SSL 3.0" and apply
Firefox: (as mentioned above) type about:config in the URL and then find and double click security.tls.version.min and set it to 1
Chrome - slightly harder as you need to add a parameter to the command line in the shortcut you use to launch chrome. Add " --ssl-version-min=tls1" to the end of the shortcut's properties/target line after "\chrome.exe"
After all of those you should restart the browser and retest. For some reason I had to logout/in to make the chrome change work.
Its possible some websites wont work after that, though I haven't found any yet, I have noticed some authentication failures that require a retry.
This post has been deleted by its author
... they want their insecure HTTP back.
Exploits like this are really only possible because so many websites don't support HTTPS in the first place. For example, this website. Without a plain HTTP page to inject code into, there is not a practical way for POODLE to operate. If the internet would please get off its backside and make connections encrypted by default (this is a post-Snowden world, after all), it actually wouldn't matter if we all used SSL 3.0 – there'd be little way to exploit it (at least without collusion between a site that the user has open and the evil people intercepting their network connection).
there is not a practical way for POODLE to operate.
I resemble that remark.
My ISP provides me with the shittiest access point that their procurement people were able to source globally, one can safely assume that it is a virtual Chinese Fortune Cookie of 'spoits and backdoors (that will never be fixed,' cause the software is flashed in and the support outsourced to bumbay).
... And ... My ISP works for FRA, which works for the NSA, who works for our Demonic Overlords.
Which part isn't practical?
There is no easy workaround or patch: SSL 3.0 needs to be deactivated entirely to stop snoopers compromising HTTPS connections
Doesn't disabling it in a config file / the registry class as an easy workaround? If it doesn't, then what on earth does? You definitely don't want to be using a GUI if you're making the changes on 600 servers (internal security matters, too). If you're thinking of it from the client viewpoint, then just turn it off in your browser. If you're using mobile applications to do anything security-sensitive, you need your head examining anyway.
Biting the hand that feeds IT © 1998–2020