[ic] POODLE
Peter
peter at pajamian.dhs.org
Sun Nov 2 13:16:46 UTC 2014
On 11/02/2014 04:06 PM, Jon Jensen wrote:
>> I'm thinking that it would be a good idea to update the payment
>> modules in Interchange so that they will not use SSLv2 (BEAST) or
>> SSLv3 (POODLE) protocols. This is probably not an issue because the
>> payment processors have, or will likely soon be removing SSLv3 support
>> from their servers, but still it's probably a good idea to donk the
>> issue from our end as well.
>
> +1. Are you already working on a patch? Want any help?
One thing that I should mention here is that Interchange is not
currently vulnerable to any known exploit for POODLE. All the current
exploit vectors require a javascript-enabled client and neither
Crypt::SSLeay, Net::SSLeay or wget are even capable of javascript.
Peter
More information about the interchange-users
mailing list