Am Freitag, 17. Oktober 2014, 18:02:39 schrieb Christoph Anton Mitterer: > On Thu, 2014-10-16 at 21:34 +0200, Ángel González wrote: > > First of all, note that wget doesn't react to a disconnect with a > > downgraded retry thus > > it is mainly not vulnerable to poodle (you could only use CVE-2014-3566 > > against servers > > not supporting TLS). > > > > Then, even in that case, as an attacker won't be able to dynamically > > connect in the > > background to another site, explotaition would be much harder (something > > like a > > recursive download on an attacker-controlled server (such as http) which > > is redirecting > > _some_ requests to the https target). For little gaining, as it's very > > unlikely that such > > wget would hold any secret for that server connection (I think you would > > need to use > > --load-cookies with a file shared with another -sensitive- batch > > processing). > > Thanks for trying that out... > But often when such issues are found, no long afterwords people can > attack it even more and what seems impossible right now may be possible > then. > > Just look at the whole black magic to defend SSL against all the > CBC/padding, MtE, lucky13 and further attacks... they fixed it and some > time later the attacks where improved and the same issues where back. > > That's why I think SSLv3 should be no longer used, even if wget isn't > that strongly exposed to attacks. > Also one cannot say that people who depend on it wouldn't have had their > time to move on to TLSv1.x... that SSLv3 will/should be phased out, is > clear for years. > So I feel, better proactively disable it (even if not yet necessary) and > affect those who haven't done their homework, instead of waiting too > long and let those suffer who did.
Looking at the thread 'SSL Poodle attack'. So far everybody seem to agree to disable SSLv3 in the default settings. I already posted a patch for OpenSSL and GnuTLS. Because 'Poodle' itself does not affect Wget (e.g. you need a Javascript enabled client for that and Wget does not have a renegotiate mechanism), we are not in a hurry. SSLv3 *will* cease from the Wget defaults in the next time, i am sure. Please don't be too concerned. Tim
signature.asc
Description: This is a digitally signed message part.
