• Login
    • Search
    • Categories
    • Recent
    • Tags
    • Users
    • Groups
    • Rules
    • Help

    Do more on the web, with a fast and secure browser!

    Download Opera browser with:

    • built-in ad blocker
    • battery saver
    • free VPN
    Download Opera

    Any thoughts about the poodle SSL 3 bug?

    Suggestions and feature requests
    8
    17
    5000
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chas4
      chas4 last edited by

      This POODLE bites: exploiting the SSL 3.0 fallback

      http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

      Mozilla says it will disable SSL 3.0 in Firefox 34 because of #Poodle vulnerability ow.ly/CLFgg

      Should Opera disable SSL 3?

      Why Open the Web?

      Despite the connecting purpose of the Web, it is not entirely open to all of its users.
      When used correctly, HTML documents can be displayed across platforms and devices.
      However, many devices are excluded access to Web content.

      Reply Quote 0
        1 Reply Last reply
      • chas4
        chas4 last edited by

        Microsoft Security Advisory 3009008

        https://technet.microsoft.com/en-us/library/security/3009008.aspx

        Why Open the Web?

        Despite the connecting purpose of the Web, it is not entirely open to all of its users.
        When used correctly, HTML documents can be displayed across platforms and devices.
        However, many devices are excluded access to Web content.

        Reply Quote 0
          1 Reply Last reply
        • chas4
          chas4 last edited by

          Twitter disabled SSL3 support

          Why Open the Web?

          Despite the connecting purpose of the Web, it is not entirely open to all of its users.
          When used correctly, HTML documents can be displayed across platforms and devices.
          However, many devices are excluded access to Web content.

          Reply Quote 0
            1 Reply Last reply
          • praetorianx
            praetorianx last edited by

            Should Opera disable SSL 3?

            It seems that this would probably be the wise move.

            Reply Quote 0
              1 Reply Last reply
            • Deleted User
              Deleted User last edited by

              Is there any setting where we can disable it for the time being?

              Reply Quote 0
                1 Reply Last reply
              • Fritzr92
                Fritzr92 last edited by

                According to Opera's Help page you can select the security protocol.

                There are extended instructions in the information on certificates.

                This would be nice if the features discussed in the Help text exist. However no information is given on finding the settings described and they don't appear to be accessible from the menus.

                Reply Quote 0
                  1 Reply Last reply
                • praetorianx
                  praetorianx last edited by

                  According to Opera's Help page you can select the security protocol.
                  There are extended instructions in the information on certificates.
                  This would be nice if the features discussed in the Help text exist. However no information is given on finding the settings described and they don't appear to be accessible from the menus.

                  I can't seem to find such help page on the new Opera 24.

                  You could select which security protocols you have enabled on the old (12.x) Opera, from the advanced security settings.

                  Reply Quote 0
                    1 Reply Last reply
                  • Deleted User
                    Deleted User last edited by

                    Hi,

                    Opera 12.16 with clean default profile, is shown as "Not vulnerable" to Poodle attack by the site www.poodletest.com/

                    http://âpp.com/Hfv5

                    SSLv3 is enabled by default in Opera 12.16 but after the test done, SSLv3 is automatically disabled.
                    I don't understand why.

                    Opera 26 seems "vulnerable" and i don't know how to disable SSL v3 protocol support...

                    Reply Quote 0
                      1 Reply Last reply
                    • g00g00
                      g00g00 last edited by

                      Hi,
                      Opera 12.16 with clean default profile, is shown as "Not vulnerable" to Poodle attack by the site www.poodletest.com/
                      http://âpp.com/Hfv5
                      SSLv3 is enabled by default in Opera 12.16 but after the test done, SSLv3 is automatically disabled.
                      I don't understand why.

                      Opera 26 seems "vulnerable" and i don't know how to disable SSL v3 protocol support...

                      Hello,
                      You can run following command line, and SSL3 will be disable in your Opera 26 :

                      %PATH-TO-YOUR-OPERA-VERSION%\opera.exe --ssl-version-min=tls1

                      Reply Quote 0
                        1 Reply Last reply
                      • Deleted User
                        Deleted User last edited by

                        Oh, yes, same as Chrome, I should have known :awww:

                        Reply Quote 0
                          1 Reply Last reply
                        • originalgbee
                          originalgbee last edited by

                          It appears that the --ssl-version-min argument is missing from opera-developer, so they must have removed it. So opera-developer is vulnerable and there is no way to fix that.

                          Reply Quote 0
                            1 Reply Last reply
                          • christoph142
                            christoph142 last edited by

                            opera-developer is vulnerable

                            No, it isn't.

                            Reply Quote 0
                              1 Reply Last reply
                            • originalgbee
                              originalgbee last edited by

                              It fails the poodle test, Chromium and Firefox do not when configured not to use SSLv3.

                              Reply Quote 0
                                1 Reply Last reply
                              • originalgbee
                                originalgbee last edited by

                                FWIW, while disallowing downgrading of the connection from TLS to SSLv3 technically defeats the exploit in question, opera-developer still supports SSLv3 which is just a half measure. SSLv3 was deprecated over a decade ago. Opera should drop support.

                                Reply Quote 0
                                  1 Reply Last reply
                                • l33t4opera
                                  l33t4opera last edited by

                                  Hi @chas4 @praetorianx @alexcavaco @fritzr @ra-mon @g00g00 @originalgbee @christoph142, FYI:

                                  "What we have done in Opera 25, is to add a countermeasure to the SSLv3 protocol when used. Since the attack can only be done to SSL records of certain lengths, we simply split the records into several records, where none of the records can be attacked. Adam Langley from Google who helped out developing the details of this idea named the countermeasure “anti poodle record splitting”. Hopefully this will help keeping SSLv3 secure enough for a few more months, and give server owners a chance to upgrade to TLS.

                                  Next we have removed the security badge for SSLv3 servers. This means that when you go to a SSLv3 server, it will look as you got to a standard unencrypted http server.

                                  Opera also supports the TLS_FALLBACK_SCSV mechanism. This is a security feature, if supported by both browser and server, that effectively stops unwanted fallbacks to lower TLS versions. Sadly, this feature is not widely supposed yet, but we hope that Server administrators pay attention to this attack and will upgrade their servers to support it. This way, future problems with higher TLS versions will not have the same devastating effect." - form more details, please read the "Security changes in Opera 25; the poodle attacks" \m/

                                  Reply Quote 0
                                    1 Reply Last reply
                                  • chas4
                                    chas4 last edited by

                                    @l33t4opera I just read that blog post 🙂 & great myOpera rock smile 🙂

                                    Why Open the Web?

                                    Despite the connecting purpose of the Web, it is not entirely open to all of its users.
                                    When used correctly, HTML documents can be displayed across platforms and devices.
                                    However, many devices are excluded access to Web content.

                                    Reply Quote 0
                                      1 Reply Last reply
                                    • praetorianx
                                      praetorianx last edited by

                                      Thanks @l33t4opera.
                                      It's always nice to be reassured that Opera is still on top of things when it comes to security.

                                      Reply Quote 0
                                        1 Reply Last reply
                                      • First post
                                        Last post

                                      Computer browsers

                                      • Opera for Windows
                                      • Opera for Mac
                                      • Opera for Linux
                                      • Opera beta version
                                      • Opera USB

                                      Mobile browsers

                                      • Opera for Android
                                      • Opera Mini
                                      • Opera Touch
                                      • Opera for basic phones

                                      • Add-ons
                                      • Opera account
                                      • Wallpapers
                                      • Opera Ads

                                      • Help & support
                                      • Opera blogs
                                      • Opera forums
                                      • Dev.Opera

                                      • Security
                                      • Privacy
                                      • Cookies Policy
                                      • EULA
                                      • Terms of Service

                                      • About Opera
                                      • Press info
                                      • Jobs
                                      • Investors
                                      • Become a partner
                                      • Contact us

                                      Follow Opera

                                      • Opera - Facebook
                                      • Opera - Twitter
                                      • Opera - YouTube
                                      • Opera - LinkedIn
                                      • Opera - Instagram

                                      © Opera Software 1995-