?FREAK: Another day, another serious SSL security hole | ZDNet
Rob Seastrom
rs at seastrom.com
Wed Mar 4 05:34:23 CST 2015
Richard Barth <w3hwn at comcast.net> writes:
> [[http://www.zdnet.com/article/freak-another-day-another-serious-ssl-security-hole/?tag=nl.e589]]
This appears to be an SSLv3 problem, not a TLS problem.
None of my personal stuff should be affected (nor is amrad.org)
because we don't support SSLv3 at all anymore, due to POODLE.
Moreover, I don't have a business need to support ancient browsers
(for instance, IE6 on XP) so my cipher list is not only no-old-export-
grade stuff, but I require PFS ciphers, which is a Good Thing.
I do wish that the browsers would quit supporting SSLv3 or at least
start throwing an error like the invalid cert error as soon as they
get there.
Unfortunately there is still a *lot* of stuff, some of it embedded,
building automation, etc, that only supports sslv3 with weak ciphers.
Upgrades should be prioritized based on cost, risk/exposure, etc. For
instance, you might be able to get away with just chasing everything
onto an isolated VLAN and calling it done.
This underlines the reason you want periodic security audits on your
entire infrastructure, not just the intentionally Internet-facing stuff.
-r
More information about the Tacos
mailing list