On 2014-10-15 18:20, Geoff Winkless wrote: > Well the only thing new about POODLE versus previous known > vulnerabilities is the way to manipulate the known vulnerability to gain > the session cookie, which you can then re-use to log on to the site for > yourself without needing to authenticate. I think the more important new concept is that arbitrary sessions can be downgraded to use a known vulnerable cipher/protocol version, even if more secure are available and servers/clients use cipher suite pinning and all the other tricks we came up with to mitigate BEAST et. al. This makes the current "add new protocols for secure clients, but keep backwards compatibility anyway" approach for handling SSL much more dangerous. > There's no such thing as a session cookie in IMAP, so I'd be very > surprised to see it usable. That doesn't mean that IMAP/SSL3 is secure, > it just means it's no less secure today than it was 10 years ago. The current exploit is quite HTTP(S) specific and I can't think of a way to apply it to IMAP, but it's probably not the last SSL3 problem. > https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html is > really good description, read especially the bit above "The workaround". > > Hope this helps > > Geoff > > On 15 October 2014 17:03, <lst_hoe02@xxxxxxxxx > <mailto:lst_hoe02@xxxxxxxxx>> wrote: > > > Zitat von Geoff Winkless <cyrus@xxxxxxxx <mailto:cyrus@xxxxxxxx>>: > > > Genuine question: is it shown that POODLE impacts on IMAPS? > > I don't see how POODLE could affect an IMAPS session, since it > only works > if you can MITM a non-SSL session on the user's browser and > force it to > request the same target page over and over. > > Cheers > > Geoff > > > As said i'm still reading on the details, so thanks for the pointer. > Nonetheless it might be time to give up on SSLv3 because of protocol > design errors/weakness. Unfortunately it looks like Cyrus can not > disable SSLv3 protocol without disabling ciphers also used in > TLSv1.x, no? > > Regards > > Andreas > > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas@xxxxxx | +43 (0)680 301 7167 http://software.tao.at
Attachment:
signature.asc
Description: OpenPGP digital signature
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
