[Ach] POODLE

[Pepi Zawodsky]

On 15 Oct 2014, at 09:32, Alain Wolf <alain at alainwolf.ch> wrote:

> Maybe Cloudflare. I remember them having interesting stats on RC4, they
> should have that on SSLv3 too.
> https://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/

I can give you the Cloudflare stats on SSLv3:

0.00000000000000000000 %

They do not support it at all since their setup completely relies on SNI (Server name indication) which was introduced with TLS 1.0.


The only thing on this planet (and likely the ISS as well) that ONLY support SSLv3 ist IE [678] on Windows XP which we didn't support from day one we started with bettercrypto.

The only other thing natively only supporting SSLv[23] is IBM/Lotus Domino server. The only available solutions are to shut this thing down and remove it from the internet immediately or glue in a Reverse Proxy with proper TLS. (nginx 1.7 or Apache 2.4)


Amongst the Alexa Top 10.000 exactly 12 (Twelve) only support SSLv3 but no TLS 1.0 or better. So I guess there is no problem in turning SSLv3 off globally and NOW. You'll do good to the clients that aren't patched. This problem will self-destruct in about 30 years, extrapolating from existing SSLv2 (1995) support.

https://8ack.de/sslv3

Best regards
Pepi

PS: I've found a ton of services that do not allow for configuring protocols/cipher suites at all and support ALL.