Well the only thing new about POODLE versus previous known vulnerabilities is the way to manipulate the known vulnerability to gain the session cookie, which you can then re-use to log on to the site for yourself without needing to authenticate.
There's no such thing as a session cookie in IMAP, so I'd be very surprised to see it usable. That doesn't mean that IMAP/SSL3 is secure, it just means it's no less secure today than it was 10 years ago.
https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html is really good description, read especially the bit above "The workaround".
Hope this helps
Geoff
On 15 October 2014 17:03, <lst_hoe02@xxxxxxxxx> wrote:
Zitat von Geoff Winkless <cyrus@xxxxxxxx>:As said i'm still reading on the details, so thanks for the pointer. Nonetheless it might be time to give up on SSLv3 because of protocol design errors/weakness. Unfortunately it looks like Cyrus can not disable SSLv3 protocol without disabling ciphers also used in TLSv1.x, no?
Genuine question: is it shown that POODLE impacts on IMAPS?
I don't see how POODLE could affect an IMAPS session, since it only works
if you can MITM a non-SSL session on the user's browser and force it to
request the same target page over and over.
Cheers
Geoff
Regards
Andreas
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
