• Demo
    保持交易與客戶資料隱密性

    GoDaddy

    Keep payments & customer data private
  • Demo
    創造線上信任者!

    COMODO

    Creating Trust Online
  • Demo
    您的成功來自於信任!

    digicert

    Your Success is Built on Trust
  • Demo
    保護數位認證與信息安全!

    Entrust

    Securing digital Identities & Information
  • Demo
    數位憑證的領導品牌!

    GeoTrust

    a leading certificate authority
  • Demo
    安全地溝通和交易!

    GlobalSign

    Communicate and transact securely.
  • Demo
    保護您的網站!保護您的客戶們!

    Network Solutions

    Secure Your Site!Protect Your Customers
  • Demo
    瑞士軍刀的數位認證和PKI

    StartCom

    The Swiss Army Knife of Digital Certificates & PKI
  • Demo
    最高等級的安全與身分認證

    SwissSign

    Extreme Security & Identity
  • Demo
    一個全新等級的保護和信任

    Symantec

    protect and trust to a whole new level
  • Demo
    最明顯的網站安全性標誌

    Thawte

    The most visible sign of web site security
  • Demo
    最簡單方案滿足您安全性與法規的遵從

    trustwave

    to your complex security and compliance challenges
  • Demo
    低成本,高保證的SSL證書

    instantssl

    low cost high assurance ssl certificates
  • Demo
    官網負擔得起的SSL證書及信任標章

    trustico

    Official Supplier Of Affordable Website SSL Certificates & Trust Seals
  • Demo
    簡單的網站安全性

    rapidssl

    simple site security for less
  • Demo
    由SSL.com來建立客戶信任

    ssl.com

    simple site security for less
  • Demo
    我們知道需要什麼是安全的

    certs4less

    We know what it takes to be secure
  • Demo
    從世界上唯一的高級SSL服務

    thesslstore

    SSL Certificates from the Only Premium SSL Service in the World
  • Demo
    專業,認證,信任

    certcenter

    expert. proven. trusted
  • Demo
    網頁安全解決方案

    secure128

    web security solutions
  • Demo
    保護您的業務,高度信任的SSL證書

    sslcertificate

    secure your business,high trust ssl cert
  • Demo
    保護您客戶的資料

    Namecheap

    Protect your site visitors' data
  • Demo
    我們把信任標識化

    IdenTrust

    We Put The Trust In Identity

知識&消息

SSLV3.0需要停用之原因

一般伺服器在進行https通訊協定的溝通時,會有提供自動調整通訊協定的功能,通常會以最高版本的通訊協定為優先,如TLS1.2,一旦發現哪一方不是相同的通訊協定,則會一直交握(handshack)直到找到雙方都有的協定為止,而這樣的調整,除了server與client之間的協定自動啟動外,也可以由存在網路中的駭客主動發起此類的協定調整,達成入侵目的

這樣就類似駭客可以決定哪一種通訊協定,因此要讓server與client的協定調整為SSLV3.0是很容易的,而SSLV3.0不論是用RC4的串流加密或者CBC的區塊加密,目前已經知道是不安全的加密方式,容易被駭客攻擊,因此SSLV3.0是存在漏洞的通訊協定的

此SSL3.0的弱點可以通過中間人攻擊解密“安全”的HTTP cookies,使用技術先發動BEAST攻擊然後再發動的獅子狗(POODLE)攻擊,那要如何解決這樣的問題呢?

第一種最安全的方式是讓server與client完全禁用SSLV3.0的通訊協定,這樣是可以完全消除此疑慮,但是要禁用牽涉到很多環境與程式的問題,因此有很多系統是無法禁用的,那該如何呢?

第二種就是讓瀏覽器支援TLS_FALLBACK_SCSV 機制,這機制就是在交握的時候,拒絕降級通訊協定的攻擊界接(TLS1.2,TLS嘗試下一個1.1,那麼TLS1.0,然後SSL3.0),使用TLS_FALLBACK_SCSV將確保SSL 3.0攻擊者可以不再強制降級的協議.

也鑒於如此的漏洞,又加上GOOGLE的工程師發現POODLE的攻擊,GOOGLE CHROME瀏覽器,已經宣布未來幾個月內將完全不支援SSLV3.0,您可能認為這件事情跟我們沒太大關係,可是對於系統開發商以及一般需要與瀏覽器界接的開發者,這可是很重要的改變,所以不得採取對策因應此事!

對於我們使用者而言,盡量使用最新版本的瀏覽器,或者將您的瀏覽器支援的通訊協定設定,調整不支援SSLV3.0,也可避免此問題的發生!如果您想知道您的網站是否有開啟SSLV3,可使用本網站提供的工具測試安全性測試網頁

以下是chrome 將停用SSLV3.0的說明,可參考看看!
Posted: Tuesday, October 14, 2014

This POODLE bites: exploiting the SSL 3.0 fallback

Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.

In the coming months, we hope to remove support for SSL 3.0 completely from our client products.

Thank you to all the people who helped review and discuss responses to this issue.

Posted by Bodo Möller, Google Security Team

這邊有一篇GOOGLE介紹POODLE的文章,也可參考看看:

ssl-poodle: