<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div><font face="Avenir-Book">For this issue I am forwarding along a message that went out to the Security SIG list and IT Partners last night:</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">1. </font>SSL 3.0 Vulnerability Disclosed</div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">Good Afternoon,</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">Engineers at Google have disclosed a vulnerability in SSL 3.0 that can allow a network attacker to decrypt the contents of certain encrypted web communications.</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">The exploit is being called POODLE (Padding Oracle On Downgraded Legacy Encryption) and is made possible by the abuse of a deprecated encryption protocol included in most web browsers, and web servers, for legacy site and/or browser
compatibility.</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">As a result of this disclosure, both Google and Mozilla have committed to completely removing SSL 3.0 from Firefox and Chrome in the coming months. In the coming days, we expect to see other browser makers, specifically Microsoft
(Internet Explorer) and Apple (Safari), publish plans on how they will be protecting users from the POODLE vulnerability.</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">Locally, IS&T plans to upgrade all of its systems to remove SSL 3.0 support and is working to discover non-IS&T sites that still using SSL 3.0 to secure communications. Once discovery is complete, notifications will be sent out
to site administrators.</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">IS&T will update this thread as more information is made available from browser makers and as stop-gap mitigation steps are published.</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">Regards,</font></div>
<div><font face="Avenir-Book">Security Operations</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">A copy of this message can be found on The Knowledge Base:
<a href="http://kb.mit.edu/confluence/x/GIEwCQ">http://kb.mit.edu/confluence/x/GIEwCQ</a> </font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">--------------------------</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">RELEVANT LINKS</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">Google Disclosure: <a href="http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html">
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html</a></font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">Mozilla Disclosure: <a href="https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/">
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/</a></font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">Imperial Violet: <a href="https://www.imperialviolet.org/2014/10/14/poodle.html">
https://www.imperialviolet.org/2014/10/14/poodle.html</a></font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">POODLE Technical Paper: <a href="https://www.openssl.org/~bodo/ssl-poodle.pdf">
https://www.openssl.org/~bodo/ssl-poodle.pdf</a></font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><font face="Avenir-Book">Monique Buchanan</font></div>
<div><font face="Avenir-Book">IT Security Communications Coordinator</font></div>
<div><font face="Avenir-Book">Information Systems & Technology (IS&T)</font></div>
<div><font face="Avenir-Book">Massachusetts Institute of Technology</font></div>
<div><font face="Avenir-Book"><a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a></font></div>
<div><font face="Avenir-Book">tel: 617.253.2715</font></div>
<div><font face="Avenir-Book"><br>
</font></div>
<div><br>
</div>
</body>
</html>