Gene Heskett wrote: > Call me confused. And I do run my own web page from this machine. URL > in sig. > Genes Web page <http://geneslinuxbox.net:6309/gene>
That is a non-https page. Do you operate any https pages requiring security? I didn't find any. If you aren't using https then the discussion here about the POODLE attach against https isn't relevant. > First, there is no ~./etc/apache2/mods-available/ssl.conf, but there is a > /etc/apache2/mods-available/ssl.conf Right. > With relatively sparse bits of uncommenting that would appear to be > related here: > > SSLCipherSuite AES128+EECDH:AES128+EDH > SSLHonorCipherOrder on > SSLProtocol all -SSLv2 -SSLv3 > Header always set Strict-Transport-Security "max-age=63072000; include > SubDomains" > Header alway set X-Frame-Options DENY If you were operating an ssl site then the above would match the current recommendations from: https://cipherli.st/ But as far as I can see you are not running https. Therefore modifying those files is simply creating more work for yourself. :-( I will note that it is a fast changing environment. I hate to quote static lists like that since tomorrow they may be different. Instead I like to point to centralized information resources like the ssllabs.com and cipherli.st sites to coordinate the current wisdom. > Documentation on this stuff and its interactions is sparse at best > despite the fact that I have installed what s/b the correct man pages. For web servers most of the documentation is on the web. It is just the nature of things. > Some of the above has been edited persuant to anti POODLE instructions > found by google. > > So, am I safe, or low hanging fruit with those settings? As far as I can see you are safe since you are not operating a web site that uses encryption to secure any pages. Therefore none of this discussion applies to you as a web admin. The question here is whether a POODLE attack can allow a man in the middle attacker to see the plaintext of an SSL connection. To consider the danger lets say a web site requires a login, uses cookies to maintain a session, and https to keep others from sniffing your login credentials. A successful attack could give someone else your cookie data which they could use to log into that site as you. But you are talking about your own site that you are maintaining. If you are not using SSL then this simply does not apply to you. If you are using SSL then it depends upon what, where, why, and so forth. Someone using it just to add noise to the encrypted data traffic would always be safe too since it wouldn't be worse than not encrypting it. The POODLE attack doesn't allow someone to directly break into your web server. The attack is about listening to encrypted traffic. Information gained by sniffing may allow further attacks however. If someone were using something like SquirrelMail or Roundcube or Mailpile for a webmail interface for example then they should be directly concerned over this type of attack. Someone targeting them might be able to log into the web as them and send email as them. And the same for most other web login interfaces. (Many people are in terror over the idea of someone logging into Facebook as them. Research Firesheep.) Bob
signature.asc
Description: Digital signature
