AnsweredAssumed Answered

POODLE and API

Question asked by Alex B on Feb 25, 2015
Latest reply on Feb 26, 2015 by Alex B

Hi all!

First of all i want to say thank to SSLLABS team for great work and great online service!

 

We use your online service for deep analysis of the configuration of our SSL/TLS web-servers and after 1 month of using we have some questions and we would be grateful for answers.

 

1. Where POODLE?

 

Please explain the following situation (may be again).

After the scan we have got this summary:

 

Protocols:

Cipher Suites:

But:

 

Explain please, why POODLE mitigated? Why CipherSuite with RC4 before CipherSuite with CBC made POODLE mitigated (i really cant find explanation).

For example, if user of Internet Explorer 6 (without "V" on TLS 1.0) came to our web-server, for him will be available two CipherSuites:

  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

and if intruder can force our client to use CipherSuite with CBC then POODLE hello, no? (SSLv3 + CBC)

 


2. API Question

 

After scan we have got:

 

but if we use API for this web-server we have got:

 

according to (SSL Labs API Documentation: v2.0 Beta) value 1 means - Not vulnerable:

 

As we have seen above, POODLE single vulnerability that downgrade to C.

But service didn't forget downgrade to C:

Снимок.PNG


3. Future request.

I think for some administrators/organizations it`s still important to support guys with IE6.What about to write near "Fail" mini-instructions with tips when it will work (turn on TLS 1.0 in IE6, upgrade to other browses, now make banner for users with user-agent IE6 and so on)? Because this Administrators when see this think O___O and ran to turn on SSLv3 again I think that thanks to these tips, many finally shut down sslv3.

 

 

Thank you! and sorry for my bad English

Outcomes