[Operators] SSLv3 is out.

Jonas Wielicki xmpp-operators at sotecware.net
Wed Oct 15 07:59:41 UTC 2014


Hm, that reads like I’m advocating keeping SSLv3 in the network. I don’t
want to do that. But there’s no need to panic and rush things either, I
think.

(ps.: I’m not a cryptographer)

On 15.10.2014 09:47, Jonas Wielicki wrote:
> I’m not confident that this attack is (like BEAST and CRIME) relevant
> for XMPP.
> 
> It requires that the attacker is able to induce several SSL connections,
> with the offset of the data to be attacked (which must be the same for
> all attempts) and the size of the packet under the attackers precise
> control.
> 
> I don’t know of a scenario in XMPP C2S, nor can I imagine one for XMPP
> S2S, where this would be plausibly possible. So I think it is not
> relevant for XMPP (also, the usual opportunistic encryption argument for
> s2s applies).
> 
> Also, do XMPP S2S connections the “downgrade dance” mentioned in the paper?
> 
> regards,
> jwi
> 
> On 15.10.2014 01:02, Skhaen wrote:
>> So, i will try again, can we have now a critical warning for SSLv3 on
>> xmpp.net?
>>
>> ----> This POODLE bites: exploiting the SSL 3.0 fallback :
>> html :
>> http://googleonlinesecurity.blogspot.ru/2014/10/this-poodle-bites-exploiting-ssl-30.html
>> pdf : https://www.openssl.org/~bodo/ssl-poodle.pdf
>>
>> Thanks.
>>
>> Skhaen
>>
> 


More information about the Operators mailing list