[Ach] POODLE

Julien Vehent julien at linuxwall.info
Wed Oct 15 15:14:25 CEST 2014 

On 2014-10-15 08:25, Pepi Zawodsky wrote:
> The only thing on this planet (and likely the ISS as well) that ONLY
> support SSLv3 ist IE [678] on Windows XP which we didn't support from
> day one we started with bettercrypto.

And chrome and all clients that rely on SChannel on windows XP pre-sp3, 
afaik.

> The only other thing natively only supporting SSLv[23] is IBM/Lotus
> Domino server. The only available solutions are to shut this thing
> down and remove it from the internet immediately or glue in a Reverse
> Proxy with proper TLS. (nginx 1.7 or Apache 2.4)

There are numerous proprietary appliances that support poor TLS. I just 
tried to disable SSLv3 on a Cisco UCS and it breaks entirely. Be careful 
when telling people to disable things, they may end up spending hours of 
diagnosis without knowing what went wrong.

> Amongst the Alexa Top 10.000 exactly 12 (Twelve) only support SSLv3
> but no TLS 1.0 or better. So I guess there is no problem in turning
> SSLv3 off globally and NOW. You'll do good to the clients that aren't
> patched. This problem will self-destruct in about 30 years,
> extrapolating from existing SSLv2 (1995) support.
>
> https://8ack.de/sslv3

According to https://www.modern.ie/en-us/ie6countdown, a little less 
than 4% of the internet is still on IE6. At the minimum, admins should 
be aware of the consequences of disabling SSLv3, and not just drink the 
kool aid and piss off their managers when they notice the drops in 
google analytics.

Mozilla will maintain SSLv3 on a very limited number of services, 
including https://www.mozilla.org, because we want to offer firefox 
downloads to people connecting from very old clients.  irc.mozilla.org 
is another one where we tried to enable strong TLS, only to realize that 
the number of broken IRC clients that couldn't handle TLS1 and PFS was 
just too much to deal with. Backward compatibility trumps strong 
security, I'm afraid.

The internet isn't ready for a blanket destruction of SSLv3. People 
should know what they are doing and who they are impacting when 
disabling it.

- Julien

More information about the Ach mailing list