Poodlebleed Bug SSLv3

SSL is now dead. Long live TLS…

The nailed on the coffin for SSL version 3.0 was when a vulnerability was announced from Google researchers – CVE-2014-3566 .  The reality is that  SSL version 3.0 has been dead for sometime and should have been depreciated like it’s younger brother SSL version 2.0.

The recommended course of action is to disable the protocol (it is a protocol failure, there is no patch) on the server side to prevent attacks to the client.

The working solution is update the server and client side to not negotiate a lower protocol (TLS_FALLBACK_SCSV), but that world is utopian dream that everyone will switch – IE6 and Windows XP is still pretty much King.

Next page is for testing if you’re interested.

Related Post

Pages: 1 2

Leave a Reply