Announcement

Epic for iOS and Android are live in the App Store and the Android Play Store. We're EpicBrowser on Twitter and on Facebook. Please feel free to also email our Founder directly with issues or questions: alok at hiddenreflex dot com

#1 2014-10-16 20:37:15

alexlangley
Guest

Guidance on SSLv3 "POODLE" bug

Can you please give us some guidance on protecting EpicBrowser against this bug?

I tried the following, but all it did was replace my on startup set of pages to the flag.

"CHROME

Chrome users don't have an option in the GUI to disable SSLv3 as Google removed it due to confusion over whether SSLv3 or TLSv1 was better with one having a higher numeric value. Instead you can add the command line flag --ssl-version-min=tls1 to enforce the use of TLS and prevent any connection using the SSL protocol. In Windows, right click on your Chrome shortcut, hit Properties and add the command line flag as seen in the image below."

Instead of opening my homepage it opens the flag.

I used the following tool to test if it was still enabled: https://www.ssllabs.com/ssltest/viewMyClient.html

"SSL 3    Yes"

Offline

#2 2014-10-20 01:29:14

alexlangley
Guest

Re: Guidance on SSLv3 "POODLE" bug

Hello, you retweeted the following on your Twitter...

"Thank you @epicbrowser for being poodleproof right out of the box! i now have 2 browsers that are poodle proof wink #epicbrowser"

Source: https://twitter.com/jdfrasure/status/523109520789504000

Is this vulnerability already squashed in the current release? Why does the SSLLabs test say otherwise? Thanks.

Offline

#3 2014-10-21 03:37:39

sathi
Administrator

Re: Guidance on SSLv3 "POODLE" bug

Hi alexlangley,

Sorry for the late response,
SSL 3 is not disabled in Epic by default. But we are not vulnerable. You can test this on https://www.poodletest.com/
Please let us know what you think on this.

Offline

#4 2014-10-21 05:24:19

alexlangley
Guest

Re: Guidance on SSLv3 "POODLE" bug

No problem, thanks for responding!

Can you investigate why the SSLLabs test says EB is vulnerable?
Is there a way to disable SSL3 completely in EB (excluding the method listed in the original post)?

Surprisingly the ONLY browser which has an easy method of disabling SSL3 and passes every poodle test I have used... is Internet Explorer!

Offline

#5 2014-10-22 18:56:25

alok
Administrator

Re: Guidance on SSLv3 "POODLE" bug

Hi Alex,

SSLLabs may say EB is vulnerable because of possible user-agent / epic version errors.  We're on chromium 37, but some user-agents still say 34 (sorry about that, we're fixing it). 

Google claims chromium/chrome isn't vulnerable thanks to TLS_FALLBACK_SCSV -- which prevents MiTM attacks via poodle but doesn't break sites still using SSL 3.0 by blocking it completely.  Here's what the POODLE discoverers over at Google say: "Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0."

You're right that chromium doesn't offer a simple way to disable SSL3.  You have to do it via the command line (opening Epic via a special command in the command line, though there are also a few scripts available).  Here are some resources on doing that for Macs:
http://apple.stackexchange.com/question … nerability
https://github.com/Olivetti/Disable-SSL … er-for-OSX
And Windows:
https://zmap.io/sslv3/browsers.html#chrome-windows

Offline

Board footer