Status
Not open for further replies.

Exterminator

Community Manager
Staff member
Verified
A couple of new security problems were revealed this week regarding the SSL 3.0 protocol, but fixing them is not as easy as you might imagine.

Linux distros cannot just update some library and repair it, as the problem does not reside with them. Canonical has explained what they are planning to do in this regard for the Ubuntu systems and it's a rather complicated set of measures.

More and more vulnerabilities show up, usually involving critical pieces of software that are actually responsible for keeping users safe in the first place. Most of these issues are not new and have been around for some time, but only now are they discovered and exposed. Immediate measures are usually taken.

It's difficult for developers to fix something for their distribution if no patch has been provided. In the case of this current SSL flaw, it's not sufficient for Canonical to take action; other parties must be involved, like the makers of the internet browsers that are still providing support for that particular SSL version.
The POODLE security issue and the SSLv3 downgrade vulnerability are a real problem
Normally, Canonical would issue a patch for all the supported distos and users would just apply that patch with the first update. The current security problems are much more complicated than that and require more than just a company to truly fix.

"A vulnerability was discovered that affects the protocol negotiation between browsers and HTTP servers, where a man-in-the-middle (MITM) attacker is able trigger a protocol downgrade (ie, force downgrade to SSLv3, CVE to be assigned)."

"Additionally, a new attack was discovered against the CBC block cipher used in SSLv3 (POODLE, CVE-2014-3566). Because of this new weakness in the CBC block cipher and the known weaknesses in the RC4 stream cipher (both used with SSLv3), attackers who successfully downgrade the victim's connection to SSLv3 can now exploit the weaknesses of these ciphers to ascertain the plaintext of portions of the connection through brute force attacks," says Canonical's Robbie Williamson, the leader of the Cloud Development and Operations project.

The problem is that many websites still use the old SSL 3.0 protocol, which has been slowly replaced by other versions such as TLS 1.0, TLS 1.1, and TLS 1.2, and so on. Unfortunately, all these protocols are backwards compatible with SSLv3.

Canonical has urged other big companies like Google and Mozilla to disable SSLv3 support by default in their browser, meaning Chromium and Firefox, as a first step towards fixing this mess. Removing SSLv3 support from the OpenSSL library in Ubuntu is not really an option because it would break compatibility. Stay tuned for more information about these new security issues.
 
S

Sr. Normal

Well, here will be a season to use Opera in Canonical distros.

Thanks exterminator20
 

WalterWolf

Level 3
Verified
I can confirm that method for disabling SSLv3 on Chrome,works for Opera(Chromium based).

Maybe small off-topic.
 
Status
Not open for further replies.