> @@ -0,0 +1,73 @@ > +--- > +author: <a href="http://blog.xebialabs.com/author/aphillips/";>Andrew > Phillips</a> > +comments: true > +date: 2014-10-22 23:30:00+00:00 > +layout: post > +slug: poole-jclouds > +title: What POODLE means for jclouds > +---
General commentary is that we go into way too much detail and dangerously so, since we aren't security experts. This can cause users to get the wrong idea. Considering I can't find any java http client that actually has an official note like this, so we are first to war, and maybe questionably so for reasons discussed earlier. Oracle, the stewards of the JVM say to [deprecate the use of SSL 3.0 as soon as possible](http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html), they don't get into the weeds and in fact patches to the JVM and info about them are under a [support firewall](https://support.oracle.com/rs?type=doc&id=1935950.1). Redhat made some commentary on [disabling on java servers](https://access.redhat.com/solutions/1232233) which can be used for guidance. Note that clearly servers have more at play as they serve browsers, which are the primary attack vector. If you follow that link, you'll see a blurb on clients eventually. https://access.redhat.com/articles/1232123 Best advice I can give is do not make up advice, just state facts. This is a MITM attack (quote oracle or red hat for description). Suggest users assess their level of impact. Note the component responsible, show an *example* of how to affect HttpsUrlConnection, but be clear about who to ask for details (javadoc, oracle, openjdk, etc). Note components or configuration that limit ssl configuration without suggesting things like "trust-all-certs" should ever be used for those concerned with MITM. Hope this helps. --- Reply to this email directly or view it on GitHub: https://github.com/jclouds/jclouds-site/pull/138/files#r19284835
