cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 17 Oct 2014 16:40:46 +0200 (CEST)

On Fri, 17 Oct 2014, Florian Weimer wrote:

> Do you consider the fallback logic in the NSS code a security vulnerability?
> Then it might make sense to release its removal as a separate security fix,
> and not include the SSL 3.0 removal, to minimize the compatibility impact.

I don't. The POODLE attack doesn't work on anything that uses libcurl from
what I've seen[1], so all our talk and discussions about disabling SSLv3 and
removing the fallback logic in NSS are only extra precautions because they are
involved in the POODLE attack and thus indicate areas that involve problems
and weak security.

[1] = http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-10-17

This message: [ Message body ]
Next message: Daniel Karunairatnam: "SFTP problems"
Previous message: Florian Weimer: "Re: SSLv3 fallback attack POODLE"
In reply to: Florian Weimer: "Re: SSLv3 fallback attack POODLE"
Next in thread: Kamil Dudka: "Re: SSLv3 fallback attack POODLE"
Reply: Kamil Dudka: "Re: SSLv3 fallback attack POODLE"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]