[ic] POODLE
Mike Heins
mikeh at perusion.com
Sun Nov 2 13:24:39 UTC 2014
Quoting Peter (peter at pajamian.dhs.org):
> On 11/02/2014 04:06 PM, Jon Jensen wrote:
> >> I'm thinking that it would be a good idea to update the payment
> >> modules in Interchange so that they will not use SSLv2 (BEAST) or
> >> SSLv3 (POODLE) protocols. This is probably not an issue because the
> >> payment processors have, or will likely soon be removing SSLv3 support
> >> from their servers, but still it's probably a good idea to donk the
> >> issue from our end as well.
> >
> > +1. Are you already working on a patch? Want any help?
>
> One thing that I should mention here is that Interchange is not
> currently vulnerable to any known exploit for POODLE. All the current
> exploit vectors require a javascript-enabled client and neither
> Crypt::SSLeay, Net::SSLeay or wget are even capable of javascript.
What would be the workaround? Set LWP to disable SSL completely? I
guess you get some benefit in throwing an error to alert you to an
endpoint that is not using TLS, but if your target is using TLS you
won't ever use SSL anyway, right?
I've made sure that all my clients are updated to the latest and
will connect to endpoints that disable SSL, but I didn't think it
necessary to completely remove SSL from LWP (or whatever is used).
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.253.4194 <mike at perusion.com>
I am a great believer in luck, and I find that the harder I work
the more luck I have. -- Thomas Jefferson
More information about the interchange-users
mailing list