Testing Cipher Strength
SSL Labs is able to identify the cipher strength of your browser. Incidentally, mobile Safari still fails the POODLE test but passes FREAK attack.
Mobile Chrome passes both.
https://www.ssllabs.com/ssltest/viewMyClient.html#1427935691955&frame_loaded
Comments
-
@wkleem: Thanks for sharing that! I don't visit SSL Labs as often as I should, so I appreciate the reminder. They have a TON of great information, along with their browser tests.
The good news is that SSL3 isn't widely used, and most everyone is using TLS now. Hopefully new browser and OS releases will put POODLE behind us soon.
0 -
Thanks for that @wkleem!
As you see 1Browser in iOS pretty much follows Mobile Safari, and so POODLE remains. Like many downgrade attacks, POODLE requires that both the client and server be vulnerable. If Apple doesn't change this in webkit "soonish". we will certainly look at what options we have to set a more restrictive policy.
0 -
Hi, I'm hoping that iOS 8.3 will fix it. iOS 9 is said to shown at WWDC 2015.
0 -
@brenty What I'm reading about iOS 8 is that Apple has now made 8.3 an open beta, not just only for the devs. I am not on the developer channel.
https://theverge.com/2015/3/12/8203061/apple-ios-public-beta-now-available
0 -
@wkleem: Indeed! In fact, iOS 8.3 is out in full release now too (as of Wednesday?) Apple's release notes are just geared more toward changes/fixes for features/apps, rather than getting into the specifics.
Still getting a POODLE fail in Mobile Safari. Weirdly though it's failing in OS X now too, though I could have sworn it got a pass there when I first visited this thread... :(
0 -
@wkleem: Indeed! In fact, iOS 8.3 is out in full release now too (as of Wednesday?) Apple's release notes are just geared more toward changes/fixes for features/apps, rather than getting into the specifics.
Still getting a POODLE fail in Mobile Safari. Weirdly though it's failing in OS X now too, though I could have sworn it got a pass there when I first visited this thread... :(
@brenty, That's odd about OSX. I'm not on Yosemite yet. I got a POODLE fail on mobile Safari for iOS 8.3 as well.
Lion has got the same Rootpipe vulnerability as Yosemite 10.10.2, Apple has decided not to patch Rootpipe in Mountain Lion and Mavericks.
0 -
@wkleem: Yeah I am really confused by this. I thought maybe I had imagined it, but knowp:
Yosemite (under 'Secure Transport')
Mountain Lion/MavericksYosemite shipped with the POODLE vulnerability patched, and Apple even released separate security updates for both Mountain Lion and Mavericks. Once installed, CBC cipher suites are disabled for SSL3, so this made no sense to me...
Well, apparently the SSL Labs 'test' is just checking user agent and nothing else. Mystery solved. So I don't know if it was a change on their end, or if I imagined 10.10.2 getting a 'pass' from their site in the first place. 8-)
0 -
I was able to track down information on iOS as well:
iOS 8 (under 'Secure Transport')
So this was also patched on iOS in the 8.1 update. It's just hard to even find this information unless you're looking for it. It seems they aggregate all of this in a single location, regardless of platform:
But the actual changelogs for Apple updates can still be pretty inscrutable. :(
0 -
Thanks for the info. It still doesn't explain why the browsers are failing POODLE at the device end. I'm not going to pursue it further.
0 -
@wkleem: I'm sorry if I wasn't clear enough: the webpage is just testing if the browser (based on the user agent) is supporting SSL3.
Rather than disabling SSL3 outright, Apple is preventing the exploit by 'disabling CBC cipher suites [for SSL3] when TLS connection attempts fail'. Confusing, but effective. :)
0