petzl Posted October 24, 2014 Share Posted October 24, 2014 SSL3.0 is under attack. Check https://www.poodletest.com/ to see if you are vulnerable. For FireFox get add-on https://addons.mozilla.org/en-US/firefox/addon/disable-ssl-30/?src=api The risk is small but once it gets around who knows Link to comment Share on other sites More sharing options...
Farelf Posted October 24, 2014 Share Posted October 24, 2014 Interesting ... Firefox (32.0.3) was vulnerable (vulnerability patch due 25 Nov with 34 or get the add-on) but SeaMonkey (2.30) not. Link to comment Share on other sites More sharing options...
petzl Posted October 24, 2014 Author Share Posted October 24, 2014 Interesting ... Firefox (32.0.3) was vulnerable (vulnerability patch due 25 Nov with 34 or get the add-on) but SeaMonkey (2.30) not. Just doing a bit of checking on "Keep getting hacked please read" in that case it's the use of free hotspot/open WiFi connections using mobile devices I use all the time, but often see the creepy guy with a Laptop looking my way? They have my throwaway Gmail name but not accessing it supposed to be SSL To secure Internet Explorer these are the settings http://www.extremetech.com/wp-content/uploads/2014/10/SSL30.png Link to comment Share on other sites More sharing options...
Farelf Posted October 24, 2014 Share Posted October 24, 2014 Thanks, Internet Explorer was vulnerable (IE8, I just use for a few MS things - usually), that fixed it. Link to comment Share on other sites More sharing options...
Lking Posted October 24, 2014 Share Posted October 24, 2014 when looking for the FireFox adon I upgraded to 33.0. That version is also vulnerable, so donwnloaded the adon to fix the issue. Thanks. Link to comment Share on other sites More sharing options...
Dave_L Posted October 24, 2014 Share Posted October 24, 2014 SSL3.0 is under attack. Check https://www.poodletest.com/ to see if you are vulnerable. For FireFox get add-on https://addons.mozilla.org/en-US/firefox/addon/disable-ssl-30/?src=api The risk is small but once it gets around who knows From https://addons.mozilla.org/en-US/firefox/addon/disable-ssl-30/?src=api Currently this addon just sets the "security.tls.version.min" to 1 (generally from the default of 0). This is trivial to do via about:config but many users may want to do this without going there. In my firefox settings (about:config): security.tls.version.max = 3 security.tls.version.min = 0 To disable SSL v3, shouldn't max be set to 2, rather setting min to 1? Or do I misunderstand something here? Link to comment Share on other sites More sharing options...
Farelf Posted October 24, 2014 Share Posted October 24, 2014 http://kb.mozillazine.org/Security.tls.version.* security.tls.version.max = 3 3=TLS 1.2 is the minimum required / maximum supported encryption protocol.... SSL 3.0 is specified by 0 in those settings. Yes, I know Another checker, mentioned in Mozilla pages, is https://www.ssllabs.com/ssltest/viewMyClient.html Link to comment Share on other sites More sharing options...
petzl Posted October 25, 2014 Author Share Posted October 25, 2014 From https://addons.mozilla.org/en-US/firefox/addon/disable-ssl-30/?src=api In my firefox settings (about:config): security.tls.version.max = 3 security.tls.version.min = 0 To disable SSL v3, shouldn't max be set to 2, rather setting min to 1? Or do I misunderstand something here? The problem with SSL 3 that as your IP passes from one IP to the next where it can be intercepted "The usage of Hotspots, public Wi-Fi, makes this attack a real problem." http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed Link to comment Share on other sites More sharing options...
Dave_L Posted October 26, 2014 Share Posted October 26, 2014 http://kb.mozillazine.org/Security.tls.version.* Thanks, that answered my question. Link to comment Share on other sites More sharing options...
petzl Posted October 26, 2014 Author Share Posted October 26, 2014 Thanks, that answered my question. Not for Mobiles? And the security on them just gets worse http://www.youtube.com/embed/Q8xz8xKEFvU Pays to scan your mobile device with their freeware APP for Iphone and Android http://www.snoopwall.com/ Take care and be suspicious tried this APP out seems clean? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.