|
Message-ID: <543E1DE0.7020102@redhat.com> Date: Wed, 15 Oct 2014 09:10:24 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: SSL POODLE On 10/15/2014 08:05 AM, Krassimir Tzvetanov wrote: > Agreed: just I think you meant "1": security.tls.version.min == 1 (not 3)... > > from: http://kb.mozillazine.org/Security.tls.version.* > --- > 1 > > TLS 1.0 is the minimum required / maximum supported encryption protocol. > (This is the current default for the maximum supported version.) > --- What seems to get lost is this part of Mozilla's announcement: “This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.” <https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/> As far as I can tell, the TLS downgrade protection mechanism work. However, browsers have an out-of-protocol, unprotected downgrade mechanism to SSL 3.0. (The Firefox function is called “retryDueToTLSIntolerance”.) I think we would be better off disabling *that* mechanism (for which configuration knob seems to exist, alas), instead of disabling SSL 3.0 or adding a different protocol version probing mechanism. From what I can tell, applications which simply use one the usual TLS implementations and do not implement their own protocol downgrade are still secure even if both ends implement SSL 3.0 support because the version numbers are protected by the handshake hash and the TLS implementation will never negotiate use of the SSL 3.0 protocol version. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.