How to prevent SSLv3/Poodle attack?

Geoff Winkless cyrus at geoff.dj
Wed Oct 15 12:20:15 EDT 2014


Well the only thing new about POODLE versus previous known vulnerabilities
is the way to manipulate the known vulnerability to gain the session
cookie, which you can then re-use to log on to the site for yourself
without needing to authenticate.

There's no such thing as a session cookie in IMAP, so I'd be very surprised
to see it usable. That doesn't mean that IMAP/SSL3 is secure, it just means
it's no less secure today than it was 10 years ago.

https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html is really
good description, read especially the bit above "The workaround".

Hope this helps

Geoff

On 15 October 2014 17:03, <lst_hoe02 at kwsoft.de> wrote:

>
> Zitat von Geoff Winkless <cyrus at geoff.dj>:
>
>
>  Genuine question: is it shown that POODLE impacts on IMAPS?
>>
>> I don't see how POODLE could affect an IMAPS session, since it only works
>> if you can MITM a non-SSL session on the user's browser and force it to
>> request the same target page over and over.
>>
>> Cheers
>>
>> Geoff
>>
>
> As said i'm still reading on the details, so thanks for the pointer.
> Nonetheless it might be time to give up on SSLv3 because of protocol design
> errors/weakness. Unfortunately it looks like Cyrus can not disable SSLv3
> protocol without disabling ciphers also used in TLSv1.x, no?
>
> Regards
>
> Andreas
>
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20141015/cdb77238/attachment-0001.html 


More information about the Info-cyrus mailing list