16 Oct
2014
16 Oct
'14
11:34 a.m.
Hi,
By now you have probably been made aware of a security deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
I don't intend to open tickets with individual customers and nag
until this is fixed, because it's very time-consuming to do that.
To check if your server needs reconfiguring:
https://www.tinfoilsecurity.com/poodle
To disable SSLv3 on Apache newer than 2.2:
Add "-SSLv3" to the end of the "SSLProtocol" line which can
normally be found in /etc/apache2/mods-available/ssl.conf on
Debian and Ubuntu.
On Apache 2.2 or older:
You'll need to use "SSLProtocol TLSv1"
Nginx:
Make sure that the "ssl_protocols" line does not contain the
string "SSLv3". e.g.:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
is good.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
16 Oct
16 Oct
12:01 p.m.
New subject: [bitfolk] SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Hi,
On Thu, Oct 16, 2014 at 11:34:04AM +0000, Andy Smith wrote:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because,
This email went to everyone on the announce@ list by the way.
My conversational tone was probably a mistake as it lead some to
believe that they were receiving the email because their IP
address(es) are known to support SSLv3. This is not the case.
Everyone got the email. You should check if you haven't already.
As I say I'm not intending to follow up with individuals over this.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
9 Dec
9 Dec
7:39 p.m.
New subject: [bitfolk] SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Hello,
On Thu, Oct 16, 2014 at 11:34:04AM +0000, Andy Smith wrote:
By now you have probably been made aware of a security
deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
ShadowServer have started reporting on this now, and their latest
report still shows 79 IPs in BitFolk's customer IP space that are
vulnerable to SSLv3/Poodle.
I still don't want to be opening tickets with people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here. It only takes a
few seconds to scan all of BitFolk's IP space anyway and there are
multiple scripts published to do so (including the one linked
above).
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
16 Dec
16 Dec
5:44 p.m.
New subject: [bitfolk] SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Hello,
On Tue, Dec 09, 2014 at 07:39:05PM +0000, Andy Smith wrote:
ShadowServer have started reporting on this now, and
their latest
report still shows 79 IPs in BitFolk's customer IP space that are
vulnerable to SSLv3/Poodle.
I still don't want to be opening tickets with people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here.
Here you go:
http://dl.shadowserver.org/4o9jR_W433PVUJ4CIuqH8V7ht7A?mXSocjvDYp7FJ-vqyoRi…
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
3437
days inactive
3498
days old
3 comments
1 participants
participants (1)
-
Andy Smith