Testing Cipher Strength

wkleem
wkleem
Community Member

SSL Labs is able to identify the cipher strength of your browser. Incidentally, mobile Safari still fails the POODLE test but passes FREAK attack.

Mobile Chrome passes both.

https://www.ssllabs.com/ssltest/viewMyClient.html#1427935691955&frame_loaded

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wkleem: Thanks for sharing that! I don't visit SSL Labs as often as I should, so I appreciate the reminder. They have a TON of great information, along with their browser tests.

    The good news is that SSL3 isn't widely used, and most everyone is using TLS now. Hopefully new browser and OS releases will put POODLE behind us soon.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thanks for that @wkleem!

    As you see 1Browser in iOS pretty much follows Mobile Safari, and so POODLE remains. Like many downgrade attacks, POODLE requires that both the client and server be vulnerable. If Apple doesn't change this in webkit "soonish". we will certainly look at what options we have to set a more restrictive policy.

  • wkleem
    wkleem
    Community Member

    Hi, I'm hoping that iOS 8.3 will fix it. iOS 9 is said to shown at WWDC 2015.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2015

    @wkleem: Maybe there is someone running the iOS 8.3 beta that could confirm. It's pretty hard to find actual 'release notes' of Apple software sadly. :angry:

  • wkleem
    wkleem
    Community Member
    edited April 2015

    @brenty What I'm reading about iOS 8 is that Apple has now made 8.3 an open beta, not just only for the devs. I am not on the developer channel.

    https://theverge.com/2015/3/12/8203061/apple-ios-public-beta-now-available

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2015

    @wkleem: Indeed! In fact, iOS 8.3 is out in full release now too (as of Wednesday?) Apple's release notes are just geared more toward changes/fixes for features/apps, rather than getting into the specifics.

    Still getting a POODLE fail in Mobile Safari. Weirdly though it's failing in OS X now too, though I could have sworn it got a pass there when I first visited this thread... :(

  • wkleem
    wkleem
    Community Member
    edited April 2015

    @wkleem: Indeed! In fact, iOS 8.3 is out in full release now too (as of Wednesday?) Apple's release notes are just geared more toward changes/fixes for features/apps, rather than getting into the specifics.

    Still getting a POODLE fail in Mobile Safari. Weirdly though it's failing in OS X now too, though I could have sworn it got a pass there when I first visited this thread... :(

    @brenty, That's odd about OSX. I'm not on Yosemite yet. I got a POODLE fail on mobile Safari for iOS 8.3 as well.

    Lion has got the same Rootpipe vulnerability as Yosemite 10.10.2, Apple has decided not to patch Rootpipe in Mountain Lion and Mavericks.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2015

    @wkleem: Yeah I am really confused by this. I thought maybe I had imagined it, but knowp:

    Yosemite (under 'Secure Transport')
    Mountain Lion/Mavericks

    Yosemite shipped with the POODLE vulnerability patched, and Apple even released separate security updates for both Mountain Lion and Mavericks. Once installed, CBC cipher suites are disabled for SSL3, so this made no sense to me...

    Well, apparently the SSL Labs 'test' is just checking user agent and nothing else. Mystery solved. So I don't know if it was a change on their end, or if I imagined 10.10.2 getting a 'pass' from their site in the first place. 8-)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2015

    I was able to track down information on iOS as well:

    iOS 8 (under 'Secure Transport')

    So this was also patched on iOS in the 8.1 update. It's just hard to even find this information unless you're looking for it. It seems they aggregate all of this in a single location, regardless of platform:

    Apple security updates

    But the actual changelogs for Apple updates can still be pretty inscrutable. :(

  • wkleem
    wkleem
    Community Member

    Thanks for the info. It still doesn't explain why the browsers are failing POODLE at the device end. I'm not going to pursue it further.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2015

    @wkleem: I'm sorry if I wasn't clear enough: the webpage is just testing if the browser (based on the user agent) is supporting SSL3.

    Rather than disabling SSL3 outright, Apple is preventing the exploit by 'disabling CBC cipher suites [for SSL3] when TLS connection attempts fail'. Confusing, but effective. :)

This discussion has been closed.