[ic] POODLE

[Peter]

On 11/03/2014 02:24 AM, Mike Heins wrote:
> What would be the workaround? Set LWP to disable SSL completely?

Yes, I would disable SSLv2 and SSLv3, only allowing connections via
TLSv1.0 and higher.

> I
> guess you get some benefit in throwing an error to alert you to an
> endpoint that is not using TLS, but if your target is using TLS you
> won't ever use SSL anyway, right?

Unless the server allows SSLv3 and there is some sort of downgrade
attack which tricks both the server and client into thinking that TLS is
not supported on the other end.

> I've made sure that all my clients are updated to the latest and
> will connect to endpoints that disable SSL, but I didn't think it
> necessary to completely remove SSL from LWP (or whatever is used).

Well, it's not something that has to be jumped into.  As I said before,
there is currently no known exploit without javascript support, although
I get the feeling it's only a matter of time.  Also I think that all
payment gateways will likely be disabling SSLv2 and SSLv3 anyways
especially since they will almost certainly have to in order to pass
their upcoming PCI scans.

This was just a thought that we should maybe do so on the Interchange
end of things just to be that much more safe.


Peter