View Issue Details

IDProjectCategoryView StatusLast Update
0001314Main CAcert Websitemiscpublic2015-01-25 20:55
ReporterwytzeAssigned Towytze 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Product Version2014 Q4 
Target Version2014 Q4Fixed in Version2014 Q4 
Summary0001314: SSL/TLS support for SSL3 protocol and 3DES cipher suite should be disabled
DescriptionThe main CAcert website is currently still supporting the SSL3 protocol for secure connections. However, in https://www.openssl.org/~bodo/ssl-poodle.pdf it is shown that SSL3 is susceptible to certain cryptograhical attacks. While www.cacert.org does support the recommended TLS_FALLBACK_SCSV option to protect clients with that same protocol option against unintended downgrades to SSL3, this still leaves plain old SSL3 clients vulnerable for the new attack.

Similarly, the main CAcert website is currently still supporting the 3DES cipher suite for encyrpting secure connections. However, this provides only 112 bits of security, which is below the currently recommended number of 128. Hence we should disable it to protect CAcert's clients.

Suggested solution: disable SSL3 and 3DES
Motivation:
In practice, the only client known to negotiate SSL3 with www.cacert.org is Internet Explorer 6.0 as found in Windows XP. Thus disabling SSL3 will block https access for these clients only. Similarly, 3DES will only be negotiated by IE 6 and IE 8 running on Windows XP. Since Windows XP is no longer supported by its vendor, and the widely circulated advice to all its users is to switch to a more recent operating system (or switch at least to a more current browser), announcing termination of support for SSL3 and 3DES by CAcert on December 1, 2014 does not seem unreasonable, and is fully in line with its mission to support the security of its users.
Steps To ReproduceSee https://www.openssl.org/~bodo/ssl-poodle.pdf
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

child of 0001241 needs feedbackjandd cacert.org SSL/TLS configuration is bad on many levels 

Activities

Werner Dworak

2014-10-20 16:00

updater   ~0005062

No objection. I still use XP but I use the latest IE 8.0 for windows updates only, never for secure communication. Normal I use the latest Firefox. So I am not concerned.

wytze

2014-12-01 15:07

developer   ~0005138

Support for SSL3 and 3DES has been disabled in the CAcert webserver on December 1, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-12/msg00000.html

Mathias

2015-01-25 20:55

reporter   ~0005276

See https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org

Closed, thanks.

Issue History

Date Modified Username Field Change
2014-10-20 13:19 wytze New Issue
2014-10-20 13:19 wytze Assigned To => wytze
2014-10-20 13:20 wytze Status new => needs work
2014-10-20 13:20 wytze Relationship added child of 0001241
2014-10-20 16:00 Werner Dworak Note Added: 0005062
2014-12-01 15:07 wytze Note Added: 0005138
2014-12-01 15:07 wytze Status needs work => solved?
2014-12-01 15:07 wytze Fixed in Version => 2014 Q4
2014-12-01 15:07 wytze Resolution open => fixed
2015-01-25 20:55 Mathias Note Added: 0005276
2015-01-25 20:55 Mathias Status solved? => closed