Slashdot Mirror

← Back to Stories (view on slashdot.org)

RFC 7568 Deprecates SSLv3 As Insecure

Posted by timothy on from the must-not-is-in-all-caps dept.

AmiMoJo writes: SSLv3 should not be used, according to the IETF's RFC 7568. Despite being replaced by three versions of TLS, SSLv3 is still in use. Clients and servers are now recommended to reject requests to use SSLv3 for secure communication. "SSLv3 Is Comprehensively Broken," say the authors, and lay out its flaws in detail.

11 of 53 comments (clear)

  1. PROPOSED standard by andreas.hummelbrunne · · Score: 2

    Currently, this is a PROPOSED standard. Meaning it still has to be accepted as standard by the IETF.

    1. Re:PROPOSED standard by Junta · · Score: 3, Insightful

      In RFC land, PROPOSED standard is pretty much as far as most things get.

      See:
      https://tools.ietf.org/rfc/ind...

      For example, nntp is 'just' a 'proposed standard'.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  2. Re:yeah yeah by XanC · · Score: 2

    Would you prefer they pretend such devices aren't broken? It's not like they're waving a wand and making them all disappear anyway.

  3. Re:yeah yeah by ledow · · Score: 2

    Well.. personally speaking I don't expose any functionality to the net unless it can be updated, authenticated, secured, QoS'd, logged and monitored.

    So pretty much all those devices shouldn't BE on the boundary of your network, the only thing standing between you and the outside world.

    If you want to do that, use reverse proxies, not port-forwards, use VPN's, not opening up some cheap Chinese webcam to your home network and the random people of the Internet.

    So it doesn't actually matter if they used TLS or not - they are communicating only across a secured network anyway. You may as well just HTTP or telnet into them from your VPN.

    Just make sure that your frontline, Internet-facing, open-to-attack-from-the-Internet device if secured. So your VPN/firewall. And that's it.

  4. Re:yeah yeah by QuietLagoon · · Score: 2

    and what about the tens of thousands of UPSes, printers, KVMs, IP cameras, thermocouples and other embedded crap all which only responds to SSL v3 ?...

    Once the RFC "passes", they are out of standard.

    .
    I had to replace my 11-year-old wireless access point because it did only SSL3 and my browsers refused to connect to it in their default configuration. Even though the firmware in the access point is upgradeable, Netgear stopped supporting that unit long ago.

    So what about all the devices that are not upgradeable? Well, the first thing is not to expose them to insecure networks....

  5. Re:yeah yeah by rickb928 · · Score: 2

    All that 'utility' stuff shouldn't be exposed to public nets anyways, maybe not even to your intranet.

    Since your threats are both external (DDOS, botnets, intrusion) and internal (malware, bots, id10ts), you need to protect your management systems from both, and segregate your networks.

    Yes, a huge nuisance to be using portals, multiple authentications, etc, but the choice, for some, is having to explain how they crooks got into your corp net and picked it clean, or how they got into EVERYTHING and you can't get them out of all that, 'cause your management tools are also compromised, and they keep respawning internally, and you just can't, and they just keep, and it's so haaaarrd...

    Because you can't, probably, 'just reimage' all your servers, VMs, firewalls and appliances, even the damned UPS stuff. At least not without a total shutdown, and probably without a specific ETA...

    Arg.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  6. Re:You think V3 is bad? by MightyDrunken · · Score: 2

    Did you say NSA appliance? Well there is your problem.

    --
    The most dangerous drug
  7. Re:RFCs are not laws by Just+Some+Guy · · Score: 2

    The market not IETF process decides which protocols will continue to be used going forward.

    The market loves when we have formal documents laid down by the Formal Documents People confirming what we've been telling our bosses for years. I would bet large sums of money that some tech, somewhere, just walked out of a meeting happy because he finally has permission to deprecate a long-broken system.

    --
    Dewey, what part of this looks like authorities should be involved?
  8. Re:They broke it when they named it TLS. by guruevi · · Score: 2

    Legal issues. SSL = Name was created and owned by Netscape (now AOL/TWC). TLS = Open/free and named so it would not get into trademark issues with Netscape/AOL.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  9. Re:RFCs are not laws by WaffleMonster · · Score: 2

    The market loves when we have formal documents laid down by the Formal Documents People confirming what we've been telling our bosses for years. I would bet large sums of money that some tech, somewhere, just walked out of a meeting happy because he finally has permission to deprecate a long-broken system.

    I was afraid people would push back with these arguments.

    They would have had to miss section 3.1.1 of RFC7525 "Implementations MUST NOT negotiate SSL version 3.".. RFC7525 by the way is a BCP which is where this shit belongs.

    My point was subtle. You can provide reasons why you shouldn't use this or that which can be used for the same reasons you enumerated all without the baseless assertions and demands.

    BCPs are the appropriate venue for this not this largely redundant standards track RFC which happens to get noticed by Slashdot.

  10. Re:They broke it when they named it TLS. by guruevi · · Score: 2

    In the US, you need not register a name for it to be trademarked necessarily. You just have to have it used.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com