Thursday, 16 October 2014

SSL 3.0 POODLE Vulnerability


A vulnerability in SSL version 3.0 (SSL3.0), CVE-2014-3566, known as "POODLE" was announced on 14 October 2014. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support SSL 3.0 and browsers will retry failed connections with older protocol versions, including SSL 3.0 to work around bugs in HTTPS servers. A network attacker can cause connection failures and because of this, they can trigger the use of SSL 3.0 and then exploit this issue.

Reference material can be found here:
http://googleonlinesecurity.blogspot.ie/2014/10/this-poodle-bites-exploiting-ssl-30.html

Generic advisory is that SSL 3.0 should be disabled in all affected applications, in favor of the newer encryption mechanism TLS (Transport Layer Security).


source text: www.ssh.com






Email Retention Policies

Many companies have little to no email retention policies in place.  The idea here is to ensure that if a business related email is required...