Any thoughts about the poodle SSL 3 bug?
-
Deleted User last edited by
Hi,
Opera 12.16 with clean default profile, is shown as "Not vulnerable" to Poodle attack by the site www.poodletest.com/
SSLv3 is enabled by default in Opera 12.16 but after the test done, SSLv3 is automatically disabled.
I don't understand why.Opera 26 seems "vulnerable" and i don't know how to disable SSL v3 protocol support...
-
g00g00 last edited by
Hi,
Opera 12.16 with clean default profile, is shown as "Not vulnerable" to Poodle attack by the site www.poodletest.com/
http://âpp.com/Hfv5
SSLv3 is enabled by default in Opera 12.16 but after the test done, SSLv3 is automatically disabled.
I don't understand why.Opera 26 seems "vulnerable" and i don't know how to disable SSL v3 protocol support...
Hello,
You can run following command line, and SSL3 will be disable in your Opera 26 :%PATH-TO-YOUR-OPERA-VERSION%\opera.exe --ssl-version-min=tls1
-
originalgbee last edited by
It appears that the --ssl-version-min argument is missing from opera-developer, so they must have removed it. So opera-developer is vulnerable and there is no way to fix that.
-
originalgbee last edited by
It fails the poodle test, Chromium and Firefox do not when configured not to use SSLv3.
-
originalgbee last edited by
FWIW, while disallowing downgrading of the connection from TLS to SSLv3 technically defeats the exploit in question, opera-developer still supports SSLv3 which is just a half measure. SSLv3 was deprecated over a decade ago. Opera should drop support.
-
l33t4opera last edited by
Hi @chas4 @praetorianx @alexcavaco @fritzr @ra-mon @g00g00 @originalgbee @christoph142, FYI:
"What we have done in Opera 25, is to add a countermeasure to the SSLv3 protocol when used. Since the attack can only be done to SSL records of certain lengths, we simply split the records into several records, where none of the records can be attacked. Adam Langley from Google who helped out developing the details of this idea named the countermeasure “anti poodle record splitting”. Hopefully this will help keeping SSLv3 secure enough for a few more months, and give server owners a chance to upgrade to TLS.
Next we have removed the security badge for SSLv3 servers. This means that when you go to a SSLv3 server, it will look as you got to a standard unencrypted http server.
Opera also supports the TLS_FALLBACK_SCSV mechanism. This is a security feature, if supported by both browser and server, that effectively stops unwanted fallbacks to lower TLS versions. Sadly, this feature is not widely supposed yet, but we hope that Server administrators pay attention to this attack and will upgrade their servers to support it. This way, future problems with higher TLS versions will not have the same devastating effect." - form more details, please read the "Security changes in Opera 25; the poodle attacks" \m/
-
chas4 last edited by
@l33t4opera I just read that blog post & great myOpera rock smile
Why Open the Web?
Despite the connecting purpose of the Web, it is not entirely open to all of its users.
When used correctly, HTML documents can be displayed across platforms and devices.
However, many devices are excluded access to Web content. -
praetorianx last edited by
Thanks @l33t4opera.
It's always nice to be reassured that Opera is still on top of things when it comes to security.