Closed
Bug 1266202
Opened 9 years ago
Closed 9 years ago
SSL 3.0 Vulnerability – (AKA POODLE Bleed)
Categories
(www.mozilla.org :: General, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1084577
People
(Reporter: KeyStrOke.M95, Unassigned)
Details
Attachments
(1 file)
|
1.44 MB,
application/gzip
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0
Build ID: 20160127021244
Firefox for Android
Steps to reproduce:
Hi, I recently noticed multiple security vulnerabilities under https://mozilla.org/ such as Poodle Bleed Bug (CVE-2014-3566)
Type: Cryptographic Issue
You Can cheak it with some online tools like :
https://www.expeditedssl.com/varonis_poodle?target_domain=www.mozilla.org
or
https://pentest-tools.com/network-vulnerability-scanning/ssl-poodle-scanner
or using nmap:
mohamed@KeyStrOke:~$ nmap --script ssl-enum-ciphers -p 443 www.mozilla.org
or you can use Some Python Scripts to Detect it like :
http://pastebin.com/raw/KqCp1ykx
Actual results:
nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.
Expected results:
The attack described above requires an SSL3.0 connection to be established, so disabling the SSL3.0 protocol in the client or in the server (or both) will completely avoid it or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue. If either side supports only SSL3.0, then all hope is gone, and a serious update required to avoid insecure encryption
|
||
Updated•9 years ago
|
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Component: Untriaged → General
Product: Firefox → www.mozilla.org
Resolution: --- → DUPLICATE
Version: 44 Branch → Production
You need to log in
before you can comment on or make changes to this bug.
Description
•