<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Well the only thing new about POODLE versus previous known vulnerabilities is the way to manipulate the known vulnerability to gain the session cookie, which you can then re-use to log on to the site for yourself without needing to authenticate.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">There's no such thing as a session cookie in IMAP, so I'd be very surprised to see it usable. That doesn't mean that IMAP/SSL3 is secure, it just means it's no less secure today than it was 10 years ago.<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style><font face="verdana, sans-serif"><a href="https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html">https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html</a> is really good description, read especially the bit above "The workaround".</font><br></div><div class="gmail_default" style><font face="verdana, sans-serif"><br></font></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Hope this helps</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Geoff</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 15 October 2014 17:03, <span dir="ltr"><<a href="mailto:lst_hoe02@kwsoft.de" target="_blank">lst_hoe02@kwsoft.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Zitat von Geoff Winkless <<a href="mailto:cyrus@geoff.dj" target="_blank">cyrus@geoff.dj</a>>:<div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Genuine question: is it shown that POODLE impacts on IMAPS?<br>
<br>
I don't see how POODLE could affect an IMAPS session, since it only works<br>
if you can MITM a non-SSL session on the user's browser and force it to<br>
request the same target page over and over.<br>
<br>
Cheers<br>
<br>
Geoff<br>
</blockquote>
<br></div></div>
As said i'm still reading on the details, so thanks for the pointer. Nonetheless it might be time to give up on SSLv3 because of protocol design errors/weakness. Unfortunately it looks like Cyrus can not disable SSLv3 protocol without disabling ciphers also used in TLSv1.x, no?<br>
<br>
Regards<br>
<br>
Andreas<br>
<br>
<br>
<br>----<br>
Cyrus Home Page: <a href="http://www.cyrusimap.org/" target="_blank">http://www.cyrusimap.org/</a><br>
List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/" target="_blank">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a><br>
To Unsubscribe:<br>
<a href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus" target="_blank">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a><br></blockquote></div><br></div>