14 Oct

Another one like Heartbleed?

Yes after Heartbleed and Shellshock, we have another threat. This one like Heartbleed allows plaintext view of SSL info for a Man-in-the-middle attack. What that means is info sent over a private channel, can be read in plain text. Private stuff like transactions and online banking.

It affects servers and browsers and if you use Google Chrome you have already been patched, with Firefox patching on a nightly update this evening (Oct 14). Servers will need to have the 3.0 fallback deprecated and removed. If you are one of our clients you have already been patched, if not we can check your Linux based system (most servers are Linux) for you, contact us here. If you are server savvy and want to do the 3.0 fallback on a Debian based system then keep reading. Take note that the elimination of fallback to 3.0 can affect older or newer browsers that have not been patched.

Poodle SSL 3.0 fallback fixes for Ubuntu / Debian Linux

Nginx Server fix Ubuntu / Debian

ssl_protocols: TLSv1 TLSv1.1 TLSv1.2
//restart the server below
sudo service apache2 restart

Apache Server fix Ubuntu / Debian

SSLProtocol All -SSLv2 -SSLv3
//restart the server below
sudo service apache2 restart

Postfix SMTP

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
//restart postfix
sudo postfix restart

You can also get the patch info for the Open SSL 1.0.1 branch here.