Whoinhell is using TLS 1.2?
TLS 3 is the golden standard
Google might have taken POODLE to a distant country road, let it out and driven away fast, but according to Qualys, the vulnerability has returned, repurposed, as an attack on Transaction Layer Security (TLS). Designated CVE-2014-8730, the new attack vector exploits the same class of problem as POODLE: an error in the handling …
There seems to be a need for a central page somewhere that says, quite simply:
What protocols are safe.
How to configure popular software to use those protocols.
And it updates, say, once every year or in the event of a major incident.
Many of the IT people I know aren't aware of these issues, or of the way to avoid them on their networks, and with the ever-changing climate it's important to not carry old knowledge forward.
I have a browser that let's me checkbox individual SSL/TLS protocols, and I read a fair few tech websites, so I'm fairly confident I'm safe but it would be nice - when setting up a new network - to just have one well-known website to go to that tells me, no, I shouldn't be using WPA or TLS 1.2 or whatever.
What protocols are safe?
That's easy: none.
The question should be: What protocols are not known to have been broken yet?
The IETF is probably best placed to manage this assuming sufficient funding is around. We also need to improve the funding for public security research and the development (and intelligent review) of open source stacks. What a pity that the spooks don't realise that this makes things safer for everyone: a smidgen of the NSA's or GCHQ's budget would do wonders.
> A couple of cross platform scripts that could test all the major browsers
> and web servers for compliance would be a lot of help too.
https://www.ssllabs.com/ssltest/
https://www.ssllabs.com/ssltest/viewMyClient.html
The server test is already updated to test for CVE-2014-8730
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
For anyone in Oz, get this . . . I reset my browser's security to only accept TLS 1.2:
Firefox:
security.tls.version.max 3
security.tls.version.min 3
Went to log into "Seek" (a job web site that used to be mostly "technical") - I couldn't access it because there was no security protocol match. I set the lowest encryption level back to TLS 1.0 and ran the test script at www.ssllabs.com/ssltest/analyze.html?d=seek.com.au and wrote to tell "Seek" about it.
The result: "Our IT team have responded and would like to thank you for the feedback, they are fowwarding this on to the relevant department for future consideration."
"Awesome" as the colonials here are prone to saying!
I do hope that Google start down-ranking insecure sites in their search results ;-)