This topic created in 4222 days ago, the information mentioned may be changed or developed.
Supplement 1 · Oct 15, 2014
Supplement 2 · Oct 16, 2014
细节论文:https://www.openssl.org/~bodo/ssl-poodle.pdf
AWS 公告:https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/
SSL安全站点检测:https://www.ssllabs.com/ssltest/analyze.html
AWS 公告:https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/
SSL安全站点检测:https://www.ssllabs.com/ssltest/analyze.html
 |
1
wzxjohn Oct 15, 2014
目测这不是简单Patch能解决的问题啊。。。
In the coming months, we hope to remove support for SSL 3.0 completely from our client products. 这话都说出来了。。。 |
 |
2
dearrrfish OP |
|
3
dearrrfish OP 我标题说 Patch 不准确,应该是服务器设置的更新和客户端(浏览器)的更新吧。
|
 |
4
sanddudu Oct 15, 2014 via iPhone
@dearrrfish SSL 已死 TLS 永生 XD
|
 |
5
auser Oct 15, 2014
TLS1.2 应该成为标配
SSLv1 v2 v3早该淘汰了 |
 |
7
wdlth Oct 15, 2014
Google又作恶了,NSA要责令其停业整顿了。
|
 |
8
janxin Oct 15, 2014
@auser TLS v1.2也是Android4.1才开始支持的,要是TLS v1.2强制标配,Android要挂不少,除非客户端自己实现TLS v1.2。
|
 |
9
AstroProfundis Oct 15, 2014
已禁用 SSLv3 感谢提醒
|
 |
10
hjc4869 Oct 15, 2014 via iPhone
我服务器一直是TLS 1.0 1.1 1.2应该没受影响。。
|
 |
11
Akiyori Oct 15, 2014
Fastly的邮件
..we are disabling SSLv3 for all Fastly SSL customers, effective immediately..mainly affect users of Windows XP Pre-service pack 3 combined with IE version 6.. |
 |
13
mengzhuo Oct 15, 2014
细节论文
https://www.openssl.org/~bodo/ssl-poodle.pdf 粗略地看了看论文,中间人攻击+重复请求服务器就可以获得用户的Cookie等敏感信息。 服务器只有禁用SSLv3,不允许降级处理才行。。。 If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability. |
|
14
dearrrfish OP 已手软,好多 dev tool script 要更新
|
Select Language