View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001314 | Main CAcert Website | misc | public | 2014-10-20 13:19 | 2015-01-25 20:55 |
| Reporter | wytze | Assigned To | wytze | ||
| Priority | high | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | Main CAcert Website | OS | N/A | OS Version | stable |
| Product Version | 2014 Q4 | ||||
| Target Version | 2014 Q4 | Fixed in Version | 2014 Q4 | ||
| Summary | 0001314: SSL/TLS support for SSL3 protocol and 3DES cipher suite should be disabled | ||||
| Description | The main CAcert website is currently still supporting the SSL3 protocol for secure connections. However, in https://www.openssl.org/~bodo/ssl-poodle.pdf it is shown that SSL3 is susceptible to certain cryptograhical attacks. While www.cacert.org does support the recommended TLS_FALLBACK_SCSV option to protect clients with that same protocol option against unintended downgrades to SSL3, this still leaves plain old SSL3 clients vulnerable for the new attack. Similarly, the main CAcert website is currently still supporting the 3DES cipher suite for encyrpting secure connections. However, this provides only 112 bits of security, which is below the currently recommended number of 128. Hence we should disable it to protect CAcert's clients. Suggested solution: disable SSL3 and 3DES Motivation: In practice, the only client known to negotiate SSL3 with www.cacert.org is Internet Explorer 6.0 as found in Windows XP. Thus disabling SSL3 will block https access for these clients only. Similarly, 3DES will only be negotiated by IE 6 and IE 8 running on Windows XP. Since Windows XP is no longer supported by its vendor, and the widely circulated advice to all its users is to switch to a more recent operating system (or switch at least to a more current browser), announcing termination of support for SSL3 and 3DES by CAcert on December 1, 2014 does not seem unreasonable, and is fully in line with its mission to support the security of its users. | ||||
| Steps To Reproduce | See https://www.openssl.org/~bodo/ssl-poodle.pdf | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
No objection. I still use XP but I use the latest IE 8.0 for windows updates only, never for secure communication. Normal I use the latest Firefox. So I am not concerned. |
|
|
Support for SSL3 and 3DES has been disabled in the CAcert webserver on December 1, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-12/msg00000.html |
|
|
See https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org Closed, thanks. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-10-20 13:19 | wytze | New Issue | |
| 2014-10-20 13:19 | wytze | Assigned To | => wytze |
| 2014-10-20 13:20 | wytze | Status | new => needs work |
| 2014-10-20 13:20 | wytze | Relationship added | child of 0001241 |
| 2014-10-20 16:00 | Werner Dworak | Note Added: 0005062 | |
| 2014-12-01 15:07 | wytze | Note Added: 0005138 | |
| 2014-12-01 15:07 | wytze | Status | needs work => solved? |
| 2014-12-01 15:07 | wytze | Fixed in Version | => 2014 Q4 |
| 2014-12-01 15:07 | wytze | Resolution | open => fixed |
| 2015-01-25 20:55 | Mathias | Note Added: 0005276 | |
| 2015-01-25 20:55 | Mathias | Status | solved? => closed |
