I heard about the poodle breach coming back via TLS. Is nodejs vulnerable to it ?
I've been googling for the answer without success.
> I heard about the poodle breach coming back via TLS.
Thanks for letting us know; I was not aware of that. From what I was able to learn, while the POODLE attack against SSL 3.0 exploits a vulnerability in the SSL 3.0 protocol, which would thus affect all implementations of SSL 3.0 and therefore the solution is to stop using SSL 3.0, the POODLE attack against TLS exploits bugs in certain implementations of the TLS protocol so the solution is to fix those implementations.
> Is nodejs vulnerable to it ?
Node itself doesn't implement the SSL or TLS protocols. As such, node itself is not vulnerable.
Many people configure node to run behind another web server, such as nginx, which is typically configured to do caching and delivery of static files and to do encryption. Any requests that need to be proxied to node for processing are sent unencrypted over a private network. In such a configuration, node has nothing to do with encryption, and you would instead need to ask: is the web server in front (e.g. nginx) vulnerable?
Node can be can configured to do encryption with the use of another library, openssl. If you're using node to do encryption, then you need to ask whether the version of openssl you're using is vulnerable. Node 0.11.14 ships with openssl 1.0.1i. Node 0.10.33 ships with openssl 1.0.1j. But node can also be configured to use another copy of openssl already on your system. In a brief search, I was not able to find any information about whether any openssl versions are vulnerable to the POODLE attack over TLS. You could contact the openssl developers for more information.
Thanks for letting us know; I was not aware of that. From what I was able to learn, while the POODLE attack against SSL 3.0 exploits a vulnerability in the SSL 3.0 protocol, which would thus affect all implementations of SSL 3.0 and therefore the solution is to stop using SSL 3.0, the POODLE attack against TLS exploits bugs in certain implementations of the TLS protocol so the solution is to fix those implementations.
> Is nodejs vulnerable to it ?
Node itself doesn't implement the SSL or TLS protocols. As such, node itself is not vulnerable.
Many people configure node to run behind another web server, such as nginx, which is typically configured to do caching and delivery of static files and to do encryption. Any requests that need to be proxied to node for processing are sent unencrypted over a private network. In such a configuration, node has nothing to do with encryption, and you would instead need to ask: is the web server in front (e.g. nginx) vulnerable?
Node can be can configured to do encryption with the use of another library, openssl. If you're using node to do encryption, then you need to ask whether the version of openssl you're using is vulnerable. Node 0.11.14 ships with openssl 1.0.1i. Node 0.10.33 ships with openssl 1.0.1j. But node can also be configured to use another copy of openssl already on your system. In a brief search, I was not able to find any information about whether any openssl versions are vulnerable to the POODLE attack over TLS. You could contact the openssl developers for more information.
If you mean CVE-2014-8730 then this would seem to say openssl is not vulnerable.
http://www.mail-archive.com/
http://www.mail-archive.com/
댓글 없음:
댓글 쓰기