Disabling SSLv3 and compression by default - Airtime Security Discussions on Sourcefabric Forum

Airtime Security

Disabling SSLv3 and compression by default

Vote Up0Vote Down Daniel James October 2014
Posts: 844Member, Sourcefabric Team

In response to the POODLE security attack on SSLv3 announced a couple of weeks ago (http://en.wikipedia.org/wiki/POODLE) I have made a little tweak to the default Apache configuration in the Airtime deb package:

https://github.com/Airtime/airtime-packaging/commit/38f8983ff6e7468b40742bae8e109b6b4a34d777

and updated the user manual:

http://sourcefabric.booktype.pro/airtime-25-for-broadcasters/secure-login-with-ssl/

Until Firefox 34 is released, there is an add-on available which can disable SSLv3 connections:

https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/?src=api

It seems users who have not updated the browser that came with older versions of Ubuntu (e.g. Firefox 25) may be vulnerable, due to their browser support for SSLv3. To solve that problem I recommend they use the repository:

http://sourceforge.net/projects/ubuntuzilla/

which offers prompt security updates of official Firefox builds for both
Debian and Ubuntu.

I've explicitly turned SSL compression off as well, because of http://en.wikipedia.org/wiki/CRIME although 'off' has been the default in most versions of Apache (except 2.2.24 to 2.2.25).

Start a New Discussion

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

Poll

No poll attached to this discussion.

Top Posters

Albert FR 1978
Martin Konecny 1860
Andrey Podshivalov 1526
Voisses Tech 1423
John Chewter 899
Daniel James 844
Roger Wilco 784
hoerich 627
Paul Baranowski 389
Cliff Wang 339