[10243] in Security FYI
[IS&T Security-FYI] SSL 3.0 Vulnerability Disclosed
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Thu Oct 16 11:55:28 2014
Resent-From: ist-security-fyi@mit.edu
From: Monique Buchanan <myeaton@mit.edu>
To: ist-security-fyi <ist-security-fyi@mit.edu>
Date: Thu, 16 Oct 2014 15:54:19 +0000
Message-ID: <6B078F39-1CBC-429D-AD44-C1BA78EB1856@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1442559367=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============1442559367==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_6B078F391CBC429DAD44C1BA78EB1856mitedu_"
--_000_6B078F391CBC429DAD44C1BA78EB1856mitedu_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
For this issue I am forwarding along a message that went out to the Securit=
y SIG list and IT Partners last night:
1. SSL 3.0 Vulnerability Disclosed
Good Afternoon,
Engineers at Google have disclosed a vulnerability in SSL 3.0 that can allo=
w a network attacker to decrypt the contents of certain encrypted web commu=
nications.
The exploit is being called POODLE (Padding Oracle On Downgraded Legacy Enc=
ryption) and is made possible by the abuse of a deprecated encryption proto=
col included in most web browsers, and web servers, for legacy site and/or =
browser compatibility.
As a result of this disclosure, both Google and Mozilla have committed to c=
ompletely removing SSL 3.0 from Firefox and Chrome in the coming months. In=
the coming days, we expect to see other browser makers, specifically Micro=
soft (Internet Explorer) and Apple (Safari), publish plans on how they will=
be protecting users from the POODLE vulnerability.
Locally, IS&T plans to upgrade all of its systems to remove SSL 3.0 support=
and is working to discover non-IS&T sites that still using SSL 3.0 to secu=
re communications. Once discovery is complete, notifications will be sent o=
ut to site administrators.
IS&T will update this thread as more information is made available from bro=
wser makers and as stop-gap mitigation steps are published.
Regards,
Security Operations
A copy of this message can be found on The Knowledge Base: http://kb.mit.ed=
u/confluence/x/GIEwCQ
--------------------------
RELEVANT LINKS
Google Disclosure: http://googleonlinesecurity.blogspot.com/2014/10/this-po=
odle-bites-exploiting-ssl-30.html
Mozilla Disclosure: https://blog.mozilla.org/security/2014/10/14/the-poodle=
-attack-and-the-end-of-ssl-3-0/
Imperial Violet: https://www.imperialviolet.org/2014/10/14/poodle.html
POODLE Technical Paper: https://www.openssl.org/~bodo/ssl-poodle.pdf
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_6B078F391CBC429DAD44C1BA78EB1856mitedu_
Content-Type: text/html; charset="us-ascii"
Content-ID: <BB3C943DCFF9084E9B4BAEA32CC084F1@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div><font face=3D"Avenir-Book">For this issue I am forwarding along a mess=
age that went out to the Security SIG list and IT Partners last night:</fon=
t></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">1. </font>SSL 3.0 Vulnerability Disclo=
sed</div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">Good Afternoon,</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">Engineers at Google have disclosed a vulner=
ability in SSL 3.0 that can allow a network attacker to decrypt the content=
s of certain encrypted web communications.</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">The exploit is being called POODLE (Padding=
Oracle On Downgraded Legacy Encryption) and is made possible by the abuse =
of a deprecated encryption protocol included in most web browsers, and web =
servers, for legacy site and/or browser
compatibility.</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">As a result of this disclosure, both Google=
and Mozilla have committed to completely removing SSL 3.0 from Firefox and=
Chrome in the coming months. In the coming days, we expect to see other br=
owser makers, specifically Microsoft
(Internet Explorer) and Apple (Safari), publish plans on how they will be =
protecting users from the POODLE vulnerability.</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">Locally, IS&T plans to upgrade all of i=
ts systems to remove SSL 3.0 support and is working to discover non-IS&=
T sites that still using SSL 3.0 to secure communications. Once discovery i=
s complete, notifications will be sent out
to site administrators.</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">IS&T will update this thread as more in=
formation is made available from browser makers and as stop-gap mitigation =
steps are published.</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">Regards,</font></div>
<div><font face=3D"Avenir-Book">Security Operations</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">A copy of this message can be found on The =
Knowledge Base:
<a href=3D"http://kb.mit.edu/confluence/x/GIEwCQ">http://kb.mit.edu/conflue=
nce/x/GIEwCQ</a> </font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">--------------------------</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">RELEVANT LINKS</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">Google Disclosure: <a href=3D"http://google=
onlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.htm=
l">
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiti=
ng-ssl-30.html</a></font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">Mozilla Disclosure: <a href=3D"https://blog=
.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/"=
>
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-=
of-ssl-3-0/</a></font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">Imperial Violet: <a href=3D"https://www.imp=
erialviolet.org/2014/10/14/poodle.html">
https://www.imperialviolet.org/2014/10/14/poodle.html</a></font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">POODLE Technical Paper: <a href=3D"https://=
www.openssl.org/~bodo/ssl-poodle.pdf">
https://www.openssl.org/~bodo/ssl-poodle.pdf</a></font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><font face=3D"Avenir-Book">Monique Buchanan</font></div>
<div><font face=3D"Avenir-Book">IT Security Communications Coordinator</fon=
t></div>
<div><font face=3D"Avenir-Book">Information Systems & Technology (IS&am=
p;T)</font></div>
<div><font face=3D"Avenir-Book">Massachusetts Institute of Technology</font=
></div>
<div><font face=3D"Avenir-Book"><a href=3D"http://ist.mit.edu/secure">http:=
//ist.mit.edu/secure</a></font></div>
<div><font face=3D"Avenir-Book">tel: 617.253.2715</font></div>
<div><font face=3D"Avenir-Book"><br>
</font></div>
<div><br>
</div>
</body>
</html>
--_000_6B078F391CBC429DAD44C1BA78EB1856mitedu_--
--===============1442559367==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1442559367==--
