> @@ -0,0 +1,73 @@ > +--- > +author: <a href="http://blog.xebialabs.com/author/aphillips/";>Andrew > Phillips</a> > +comments: true > +date: 2014-10-22 23:30:00+00:00 > +layout: post > +slug: poole-jclouds > +title: What POODLE means for jclouds > +--- > + > +[POODLE](http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html) > is a recently discovered [man-in-the-middle > attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack) against SSL. > If you are communicating via SSL from Java applications, including jclouds > 1.8.1 and prior versions, you are potentially vulnerable to this attack.
It takes more than communicating via SSL to be vulnerable to this attack. This sentence betrays the next and creates a context of concern that in most cases is unwarranted. Look for example at [cocoaspdy](https://github.com/twitter/CocoaSPDY) who discuss a similar attack called CRIME. Rather than get into the weeds, they place responsibility on the user to make their own determination of risk, (eventhough the author is a security expert)! If you replace disable header compression with disable SSLv3, you have a pretty close preamble. ``` CRIME attack The CRIME attack is a plaintext injection technique that exploits the fact that information can be inferred from compressed content length to potentially reveal the contents of an encrypted stream. This is a serious issue for browsers, which are subject to hijacks that may allow an attacker to issue an arbitrary number of requests with known plaintext header content and observe the resulting effect on compression. In the context of an application that doesn't issue arbitrary requests, this is less likely to be an issue. However, before you ship a project with header compression enabled, you should understand the details of this attack and whether your application could be vulnerable. ``` --- Reply to this email directly or view it on GitHub: https://github.com/jclouds/jclouds-site/pull/138/files#r19281785
