Hm, that reads like I’m advocating keeping SSLv3 in the network. I don’t want to do that. But there’s no need to panic and rush things either, I think.
(ps.: I’m not a cryptographer) On 15.10.2014 09:47, Jonas Wielicki wrote: > I’m not confident that this attack is (like BEAST and CRIME) relevant > for XMPP. > > It requires that the attacker is able to induce several SSL connections, > with the offset of the data to be attacked (which must be the same for > all attempts) and the size of the packet under the attackers precise > control. > > I don’t know of a scenario in XMPP C2S, nor can I imagine one for XMPP > S2S, where this would be plausibly possible. So I think it is not > relevant for XMPP (also, the usual opportunistic encryption argument for > s2s applies). > > Also, do XMPP S2S connections the “downgrade dance” mentioned in the paper? > > regards, > jwi > > On 15.10.2014 01:02, Skhaen wrote: >> So, i will try again, can we have now a critical warning for SSLv3 on >> xmpp.net? >> >> ----> This POODLE bites: exploiting the SSL 3.0 fallback : >> html : >> http://googleonlinesecurity.blogspot.ru/2014/10/this-poodle-bites-exploiting-ssl-30.html >> pdf : https://www.openssl.org/~bodo/ssl-poodle.pdf >> >> Thanks. >> >> Skhaen >> >
