[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] please remove SSLv3 from being used until explicitly spec
|
From: |
Tim Rühsen |
|
Subject: |
Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified |
|
Date: |
Fri, 17 Oct 2014 21:40:23 +0200 |
|
User-agent: |
KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; ) |
Am Freitag, 17. Oktober 2014, 18:02:39 schrieb Christoph Anton Mitterer:
> On Thu, 2014-10-16 at 21:34 +0200, Ángel González wrote:
> > First of all, note that wget doesn't react to a disconnect with a
> > downgraded retry thus
> > it is mainly not vulnerable to poodle (you could only use CVE-2014-3566
> > against servers
> > not supporting TLS).
> >
> > Then, even in that case, as an attacker won't be able to dynamically
> > connect in the
> > background to another site, explotaition would be much harder (something
> > like a
> > recursive download on an attacker-controlled server (such as http) which
> > is redirecting
> > _some_ requests to the https target). For little gaining, as it's very
> > unlikely that such
> > wget would hold any secret for that server connection (I think you would
> > need to use
> > --load-cookies with a file shared with another -sensitive- batch
> > processing).
>
> Thanks for trying that out...
> But often when such issues are found, no long afterwords people can
> attack it even more and what seems impossible right now may be possible
> then.
>
> Just look at the whole black magic to defend SSL against all the
> CBC/padding, MtE, lucky13 and further attacks... they fixed it and some
> time later the attacks where improved and the same issues where back.
>
> That's why I think SSLv3 should be no longer used, even if wget isn't
> that strongly exposed to attacks.
> Also one cannot say that people who depend on it wouldn't have had their
> time to move on to TLSv1.x... that SSLv3 will/should be phased out, is
> clear for years.
> So I feel, better proactively disable it (even if not yet necessary) and
> affect those who haven't done their homework, instead of waiting too
> long and let those suffer who did.
Looking at the thread 'SSL Poodle attack'.
So far everybody seem to agree to disable SSLv3 in the default settings.
I already posted a patch for OpenSSL and GnuTLS.
Because 'Poodle' itself does not affect Wget (e.g. you need a Javascript
enabled client for that and Wget does not have a renegotiate mechanism), we
are not in a hurry. SSLv3 *will* cease from the Wget defaults in the next
time, i am sure. Please don't be too concerned.
Tim
signature.asc
Description: This is a digitally signed message part.
- [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Tim Rühsen, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Ángel González, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Ángel González, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Ángel González, 2014/10/16
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Tim Rühsen, 2014/10/17
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Ángel González, 2014/10/19
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Tim Rühsen, 2014/10/19
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/17
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified,
Tim Rühsen <=
- Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/17
Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified, Christoph Anton Mitterer, 2014/10/17