The security issues keep coming. Another one just issued is for SSL 3, an 18 year-old protocol. It's called POODLE (Padding Oracle On Downgraded Legacy Encryption) that was discovered by Google engineers. Mozilla plans to eliminate SSL 3 in Firefox 34 which is expected to be released Nov. 25. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ I used to use Opera before they discontinued Solaris support. They too plan to eliminate SSL 3 at some point in the future. For now they have implemented a workaround that splits the SSL records. http://blogs.opera.com/security/
>From the Opera blog: "Opera also supports the TLS_FALLBACK_SCSV mechanism. >This is a security feature, if supported by both browser and server, that >effectively stops unwanted fallbacks to lower TLS versions. Sadly, this >feature is not widely supported yet, but we hope that server administrators >pay attention to this attack and will upgrade their servers to support it. >This way, future problems with higher TLS versions will not have the same >devastating effect." The reason SSL hasn't been eliminated is probably to keep IE6 from not being able to access https pages. When SSL 3 is eliminated in Firefox, it's probably going to cause major headaches due to servers that want to fallback to and use SSL 3. A post in the Mozilla blog suggested to disable SSL by going to about:config. There are 27 and several are disabled by default. I toggled all of the others to False. Then I could not access the Mozilla site. I had to make a payment and after filling out the form, got an empty cart. I guessed and toggled security.ssl3.dhe_rsa_aes_256_sha to True and completed the purchase. Can also access the Mozilla blog with this turned on. Got an ssl error going to Facebook. One more guess and toggled security.ssl3.rsa_aes_256_sha to True and reloaded successfully. I now have just those two enabled. Regards, Fred Kimball _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
