Canonical Urges Mozilla and Google to Remove SSLv3 Support from Their Browsers

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
A couple of new security problems were revealed this week regarding the SSL 3.0 protocol, but fixing them is not as easy as you might imagine.

Linux distros cannot just update some library and repair it, as the problem does not reside with them. Canonical has explained what they are planning to do in this regard for the Ubuntu systems and it's a rather complicated set of measures.

More and more vulnerabilities show up, usually involving critical pieces of software that are actually responsible for keeping users safe in the first place. Most of these issues are not new and have been around for some time, but only now are they discovered and exposed. Immediate measures are usually taken.

It's difficult for developers to fix something for their distribution if no patch has been provided. In the case of this current SSL flaw, it's not sufficient for Canonical to take action; other parties must be involved, like the makers of the internet browsers that are still providing support for that particular SSL version.
The POODLE security issue and the SSLv3 downgrade vulnerability are a real problem
Normally, Canonical would issue a patch for all the supported distos and users would just apply that patch with the first update. The current security problems are much more complicated than that and require more than just a company to truly fix.

"A vulnerability was discovered that affects the protocol negotiation between browsers and HTTP servers, where a man-in-the-middle (MITM) attacker is able trigger a protocol downgrade (ie, force downgrade to SSLv3, CVE to be assigned)."

"Additionally, a new attack was discovered against the CBC block cipher used in SSLv3 (POODLE, CVE-2014-3566). Because of this new weakness in the CBC block cipher and the known weaknesses in the RC4 stream cipher (both used with SSLv3), attackers who successfully downgrade the victim's connection to SSLv3 can now exploit the weaknesses of these ciphers to ascertain the plaintext of portions of the connection through brute force attacks," says Canonical's Robbie Williamson, the leader of the Cloud Development and Operations project.

The problem is that many websites still use the old SSL 3.0 protocol, which has been slowly replaced by other versions such as TLS 1.0, TLS 1.1, and TLS 1.2, and so on. Unfortunately, all these protocols are backwards compatible with SSLv3.

Canonical has urged other big companies like Google and Mozilla to disable SSLv3 support by default in their browser, meaning Chromium and Firefox, as a first step towards fixing this mess. Removing SSLv3 support from the OpenSSL library in Ubuntu is not really an option because it would break compatibility. Stay tuned for more information about these new security issues.
 
S

Sr. Normal

Well, here will be a season to use Opera in Canonical distros.

Thanks exterminator20
 

WalterWolf

Level 3
Verified
Jan 28, 2013
319
I can confirm that method for disabling SSLv3 on Chrome,works for Opera(Chromium based).

Maybe small off-topic.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top