[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] SSL Poodle attack
From: |
Tim Rühsen |
Subject: |
[Bug-wget] SSL Poodle attack |
Date: |
Wed, 15 Oct 2014 11:57:47 +0200 |
User-agent: |
KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; ) |
Hi,
Google people found a new attack that affects SSLv3.
see
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
Shortly: there is a design flaw in SSLv3 that implies high security risks.
AFAICS, Wget's default SSL protocol is 'auto' which uses (OpenSSL code)
case secure_protocol_auto:
meth = SSLv23_client_method ();
break;
or (GnuTLS code)
case secure_protocol_auto:
break;
(means, the libraries defaults are used, whatever that is).
Should we break compatibility and map 'auto' to TLSv1 ?
For the security of the users.
There are only a very few HTTP servers out there, which do not support TLSv1.
Or should we let the users/maintainers care for appropriate wgetrc settings ?
What do you think ?
Tim
signature.asc
Description: This is a digitally signed message part.
- [Bug-wget] SSL Poodle attack,
Tim Rühsen <=
- Re: [Bug-wget] SSL Poodle attack, Petr Pisar, 2014/10/15
- Re: [Bug-wget] SSL Poodle attack, Tim Rühsen, 2014/10/16
- [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/16
- Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Giuseppe Scrivano, 2014/10/19
- Re: [Bug-wget] [PATCH] V2 removed 'auto' SSLv3 also from OpenSSL code, Tim Rühsen, 2014/10/19