Any thoughts about the poodle SSL 3 bug?

chas4

chas4 last edited by

Microsoft Security Advisory 3009008

https://technet.microsoft.com/en-us/library/security/3009008.aspx

Why Open the Web?

Despite the connecting purpose of the Web, it is not entirely open to all of its users.
When used correctly, HTML documents can be displayed across platforms and devices.
However, many devices are excluded access to Web content.

chas4

chas4 last edited by

Twitter disabled SSL3 support

Why Open the Web?

Despite the connecting purpose of the Web, it is not entirely open to all of its users.
When used correctly, HTML documents can be displayed across platforms and devices.
However, many devices are excluded access to Web content.

praetorianx

praetorianx last edited by

Should Opera disable SSL 3?

It seems that this would probably be the wise move.

Deleted User

Deleted User last edited by

Is there any setting where we can disable it for the time being?

Fritzr92

Fritzr92 last edited by

According to Opera's Help page you can select the security protocol.

There are extended instructions in the information on certificates.

This would be nice if the features discussed in the Help text exist. However no information is given on finding the settings described and they don't appear to be accessible from the menus.

praetorianx

praetorianx last edited by

According to Opera's Help page you can select the security protocol.
There are extended instructions in the information on certificates.
This would be nice if the features discussed in the Help text exist. However no information is given on finding the settings described and they don't appear to be accessible from the menus.

I can't seem to find such help page on the new Opera 24.

You could select which security protocols you have enabled on the old (12.x) Opera, from the advanced security settings.

Deleted User

Deleted User last edited by

Hi,

Opera 12.16 with clean default profile, is shown as "Not vulnerable" to Poodle attack by the site www.poodletest.com/

http://âpp.com/Hfv5

SSLv3 is enabled by default in Opera 12.16 but after the test done, SSLv3 is automatically disabled.
I don't understand why.

Opera 26 seems "vulnerable" and i don't know how to disable SSL v3 protocol support...

g00g00

g00g00 last edited by

Hi,
Opera 12.16 with clean default profile, is shown as "Not vulnerable" to Poodle attack by the site www.poodletest.com/
http://âpp.com/Hfv5
SSLv3 is enabled by default in Opera 12.16 but after the test done, SSLv3 is automatically disabled.
I don't understand why.

Opera 26 seems "vulnerable" and i don't know how to disable SSL v3 protocol support...

Hello,
You can run following command line, and SSL3 will be disable in your Opera 26 :

%PATH-TO-YOUR-OPERA-VERSION%\opera.exe --ssl-version-min=tls1

Deleted User

Deleted User last edited by

Oh, yes, same as Chrome, I should have known :awww:

originalgbee

originalgbee last edited by

It appears that the --ssl-version-min argument is missing from opera-developer, so they must have removed it. So opera-developer is vulnerable and there is no way to fix that.

christoph142

christoph142 last edited by

opera-developer is vulnerable

No, it isn't.

originalgbee

originalgbee last edited by

It fails the poodle test, Chromium and Firefox do not when configured not to use SSLv3.

originalgbee

originalgbee last edited by

FWIW, while disallowing downgrading of the connection from TLS to SSLv3 technically defeats the exploit in question, opera-developer still supports SSLv3 which is just a half measure. SSLv3 was deprecated over a decade ago. Opera should drop support.

l33t4opera

l33t4opera last edited by

Hi @chas4 @praetorianx @alexcavaco @fritzr @ra-mon @g00g00 @originalgbee @christoph142, FYI:

"What we have done in Opera 25, is to add a countermeasure to the SSLv3 protocol when used. Since the attack can only be done to SSL records of certain lengths, we simply split the records into several records, where none of the records can be attacked. Adam Langley from Google who helped out developing the details of this idea named the countermeasure “anti poodle record splitting”. Hopefully this will help keeping SSLv3 secure enough for a few more months, and give server owners a chance to upgrade to TLS.

Next we have removed the security badge for SSLv3 servers. This means that when you go to a SSLv3 server, it will look as you got to a standard unencrypted http server.

Opera also supports the TLS_FALLBACK_SCSV mechanism. This is a security feature, if supported by both browser and server, that effectively stops unwanted fallbacks to lower TLS versions. Sadly, this feature is not widely supposed yet, but we hope that Server administrators pay attention to this attack and will upgrade their servers to support it. This way, future problems with higher TLS versions will not have the same devastating effect." - form more details, please read the "Security changes in Opera 25; the poodle attacks" \m/

chas4

chas4 last edited by

@l33t4opera I just read that blog post & great myOpera rock smile

Why Open the Web?

Despite the connecting purpose of the Web, it is not entirely open to all of its users.
When used correctly, HTML documents can be displayed across platforms and devices.
However, many devices are excluded access to Web content.

praetorianx

praetorianx last edited by

Thanks @l33t4opera.
It's always nice to be reassured that Opera is still on top of things when it comes to security.