Another SSL vulnerability - The POODLE Attack

From the Mozilla Security Blog:

SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information.

Under RHEL 6.5 with Apache httpd, edit /etc/httpd/conf.d/ssl.conf and make sure the protocol line disables both SSLv2 and SSLv3:

SSLProtocol all -SSLv2 -SSLv3

or you can just specify TLS only:

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

 Ars Technica has a good explanation.

Scott Helme has a good run down on how to fix this issue, for various servers and browsers.

Google releases security hole

Google has just released a buggy microblogging web application with security holes as a training tool for developers to understand security issues in web apps.

One codelab in particular teaches developers about common types of web application vulnerabilities. In the spirit of the thinking that "it takes a hacker to catch a hacker," the codelab also demonstrates how an attacker could exploit such vulnerabilities.

We're releasing this codelab, entitled "Web Application Exploits and Defenses," today in coordination with Google Code University and Google Labs to help software developers better recognize, fix, and avoid similar flaws in their own applications.