Bitcoin Forum
December 11, 2019, 11:03:43 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: POODLE vulnerability  (Read 2348 times)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7354


View Profile
October 15, 2014, 10:47:22 PM
 #1

The POODLE vulnerability in TLS/SSL could have allowed a man-in-the-middle attacker to read encrypted forum traffic. For example, Tor exit nodes could have used this attack against anyone using Tor to access the forum. I disabled SSLv3 to prevent this attack in the future, and I logged everyone out to invalidate any possibly-compromised cookies. If you used a proxy or ISP that you don't absolutely trust to access the forum, then you should also change your password.

Most other sites are similarly affected.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1576105423
Hero Member
*
Offline Offline

Posts: 1576105423

View Profile Personal Message (Offline)

Ignore
1576105423
Reply with quote  #2

1576105423
Report to moderator
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1988
Merit: 1771



View Profile WWW
October 15, 2014, 10:54:20 PM
 #2

Should we consider PIA to be an untrusted proxy, or should be generally be safe with them?

Find the fire hydrant in my Avatar for a prize.
haploid23
Legendary
*
Offline Offline

Activity: 812
Merit: 1002



View Profile WWW
October 15, 2014, 11:01:34 PM
 #3

So only "untrustworthy ISP" and TOR users are affected, everyone else safe? I hate changing PW's. More susceptible to forget them.

theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7354


View Profile
October 15, 2014, 11:18:40 PM
 #4

Should we consider PIA to be an untrusted proxy, or should be generally be safe with them?
So only "untrustworthy ISP" and TOR users are affected, everyone else safe? I hate changing PW's. More susceptible to forget them.

You'll have to use your own judgement on that. Do you trust that your VPN/ISP didn't use this attack against you to steal your password?

Some things to know:
- It's an active attack, so if your ISP was just recording traffic, this wouldn't help them now.
- If you didn't actually use your password to log in within the last couple of days (ie, not just logging in using "remember me"), then your ISP only could have stolen your password if they'd known about the vulnerability before it was publicly announced.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
peligro
Hero Member
*****
Offline Offline

Activity: 595
Merit: 500


1NoBanksLuJPXf8Sc831fPqjrRpkQPKkEA


View Profile
October 15, 2014, 11:21:14 PM
 #5

Doesn't sound too dangerous as I use only ISP directly, changed my password anyway.

Btw, POODLE? Quite a letdown, after cool names like Heartbleed and Shellshock.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7354


View Profile
October 15, 2014, 11:24:02 PM
 #6

Btw, POODLE? Quite a letdown, after cool names like Heartbleed and Shellshock.

Yeah, it's a terrible name. The vulnerability isn't nearly as bad as Heartbleed or Shellshock, though.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
elitenoob
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500



View Profile
October 15, 2014, 11:39:24 PM
 #7

Thanks for the info...hate to change pwd's but it's (almost) never too late Smiley
Vortex20000
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500

sucker got hacked and screwed --Toad


View Profile WWW
October 16, 2014, 02:48:05 AM
 #8

I've logged in through Cyberghost, but they have decent reviews so I'm not changing PW. Wink

ranochigo
Legendary
*
Offline Offline

Activity: 1862
Merit: 1206

Back online:)


View Profile WWW
October 16, 2014, 04:04:55 AM
 #9

If you used a WIFI that is unsecured or using WEP or vulnerable WPS encryption, you should change your password. Attacks may have been executed on the network, so your accounts may be compromised.

goozman96
Hero Member
*****
Offline Offline

Activity: 714
Merit: 500



View Profile
October 16, 2014, 05:19:08 AM
 #10

It seems never ending. Every other month some new vulnerability is discovered. This sucks

BTC: 19DKtsdGfQyFzNiEze9KuFQrWGiLDvg6F1 | LTC: LbV6UGyjYbVP49NvQFmuAnkADcaFYvNagK | NMC: NDCdMJmTmGH54Cezmo3CwSxAC7grAoZJbj
dserrano5
Legendary
*
Offline Offline

Activity: 1918
Merit: 1012



View Profile
October 16, 2014, 07:02:39 AM
 #11

Thank you theymos. Password changed—again Tongue.
Beastlymac
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


Miner Setup And Reviews. WASP Rep.


View Profile
October 16, 2014, 07:03:51 AM
 #12

Btw, POODLE? Quite a letdown, after cool names like Heartbleed and Shellshock.

Yeah, it's a terrible name. The vulnerability isn't nearly as bad as Heartbleed or Shellshock, though.

It is an acronym it stands for "Padding Oracle On Downgraded Legacy Encription"

Message me if you have any problems
Vortex20000
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500

sucker got hacked and screwed --Toad


View Profile WWW
October 16, 2014, 07:05:34 AM
 #13

Btw, POODLE? Quite a letdown, after cool names like Heartbleed and Shellshock.

Yeah, it's a terrible name. The vulnerability isn't nearly as bad as Heartbleed or Shellshock, though.

It is an acronym it stands for "Padding Oracle On Downgraded Legacy Encription"
Oh. Thank you for the clarification and explanation Roll Eyes

sgk
Legendary
*
Offline Offline

Activity: 1456
Merit: 1002


!! HODL !!


View Profile
October 16, 2014, 07:15:39 AM
 #14

Btw, POODLE? Quite a letdown, after cool names like Heartbleed and Shellshock.

Yeah, it's a terrible name. The vulnerability isn't nearly as bad as Heartbleed or Shellshock, though.

It is an acronym it stands for "Padding Oracle On Downgraded Legacy Encription"

The vulnerability was discovered by Google, so most likely they came up with DOODLE acronym first and then worked their way back to generate a plausible-sounding full form Tongue
Vortex20000
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500

sucker got hacked and screwed --Toad


View Profile WWW
October 16, 2014, 07:17:24 AM
 #15

Btw, POODLE? Quite a letdown, after cool names like Heartbleed and Shellshock.

Yeah, it's a terrible name. The vulnerability isn't nearly as bad as Heartbleed or Shellshock, though.

It is an acronym it stands for "Padding Oracle On Downgraded Legacy Encription"

The vulnerability was discovered by Google, so most likely they came up with DOODLE acronym first and then worked their way back to generate a plausible-sounding full form Tongue
DOODLE and POODLE - D and P

Dire and Padding?

sgk
Legendary
*
Offline Offline

Activity: 1456
Merit: 1002


!! HODL !!


View Profile
October 16, 2014, 07:31:38 AM
 #16

Btw, POODLE? Quite a letdown, after cool names like Heartbleed and Shellshock.

Yeah, it's a terrible name. The vulnerability isn't nearly as bad as Heartbleed or Shellshock, though.

It is an acronym it stands for "Padding Oracle On Downgraded Legacy Encription"

The vulnerability was discovered by Google, so most likely they came up with DOODLE acronym first and then worked their way back to generate a plausible-sounding full form Tongue
DOODLE and POODLE - D and P

Dire and Padding?

My bad! Although they both don't look much different to me Tongue
fronti
Legendary
*
Offline Offline

Activity: 2495
Merit: 1178



View Profile
October 16, 2014, 07:32:10 AM
 #17

maybe to add also in the "News" that all useres are automaticly logged out.
I was very surprised if I see me logged out.

Ok first I do was to go (still logged out) to meta and see in this thread that all are logged out by you..

If you like to give me a tip:  bc1q8ht32j5hj42us5qfptvu08ug9zeqgvxuhwznzk

"Bankraub ist eine Unternehmung von Dilettanten. Wahre Profis gründen eine Bank." Bertolt Brecht
zetaray
Hero Member
*****
Offline Offline

Activity: 658
Merit: 500


View Profile
October 16, 2014, 08:27:52 AM
 #18

This is the reason I was logged out from bitcointalk. Took me a few minutes to figure out my own password, the one I changed in a rush after the previous SSL bug.

.CryptoTotal.com.
                              l█████████▇▀
                              ████████▇▀
                              ███████▇▀
                              ██████▇▀
                              █████▇▀
                              ████▇▀
                              ███▇▀
                              ██▇▀
                              █▇▀
                              ▇▀
▇▇
▇▇

Express.Crypto.Checkout
Accepts Multiple Cryptos
Worldwide Shipping
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1484
Merit: 1345


No I dont escrow anymore.


View Profile WWW
October 16, 2014, 09:17:14 AM
 #19

This is the reason I was logged out from bitcointalk. Took me a few minutes to figure out my own password, the one I changed in a rush after the previous SSL bug.

Dont get used to it, just change it again Tongue
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1011



View Profile
October 16, 2014, 09:26:29 AM
 #20

This is the reason I was logged out from bitcointalk. Took me a few minutes to figure out my own password, the one I changed in a rush after the previous SSL bug.
I was pretty pleased to find I still had it saved. I thought I forgot to save it when I last changed it and talked to theymos about an account recovery. Maybe just a weird dream... ever have that? Sometimes dream about weird, mundane stuff like shampooing hair, then forget to take a shower in the morning because I thought I already had. -Or I'll think the dog died a year ago, then see it when I wake up... scares the bejesus out of me.

Anyway - not sure what's wrong with the name. Poodles are bad news. If it derived from BEAST attack, POODLE seems like a pretty reasonable name for a successor.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!