[Solved] Critical Security Issue SSLv3

Popular automatic website translation tool

[Solved] Critical Security Issue SSLv3

Postby Ollie » Wed Mar 25, 2015 8:07 pm

A friend of mine, who's also an online merchant, brought to my attention that the translation portion of my website (hosted by GTranslate) is vulnerable to a Poodle attack. According to Edvard Ananyan from GTranslate, "all the up to date browsers do not use SSLv"3". I ran a test on https://www.poodletest.com/ using Internet Explorer and found out that IE is vulnerable. The two other browsers I tested (Chrome and Firefox) are not vulnerable, according to the test results. I wonder what other users think about this and what GTranslate has to say about this issue. My request to get the problem fixed ASAP has so far been fruitless. And by the way I use the latest version of Explorer and as far as I'm concerned, my browser is up to date. For those wanting to test any server's vulnerability, this is a good starting point: https://www.whynopadlock.com

PS: I have disabled translation on my website pending a quick resolution by GTranslate. If this is going to take a long time then it's reasonable to expect them not to charge me for a service I'm not using.
Last edited by Ollie on Wed Mar 25, 2015 8:24 pm, edited 1 time in total.
Ollie
 
Posts: 16
Joined: Sat Jun 21, 2014 3:37 pm

Re: Critical Security Issue

Postby Edvard » Wed Mar 25, 2015 8:21 pm

Hi,

What is your IE version?

Thanks!
Regards,

Edvard Ananyan - GTranslate Team

Please leave your feedback on your CMS plugin directory. It is very important for us!
Google Translate Joomla
Google Translate WordPress
Google Translate Drupal
Edvard
Site Admin
 
Posts: 4184
Joined: Mon Jun 28, 2010 1:54 pm
Location: Yerevan, Armenia

Re: Critical Security Issue SSLv3

Postby Ollie » Wed Mar 25, 2015 8:27 pm

IE version 10. The browser version is not very relevant as it is something we merchants cannot control. But we can control our server side by eliminating potential threats. I have disabled translation from my website pending a prompt resolution by your company.
Ollie
 
Posts: 16
Joined: Sat Jun 21, 2014 3:37 pm

Re: Critical Security Issue SSLv3

Postby Edvard » Wed Mar 25, 2015 9:02 pm

So when you open poodletest.com on your IE 10 you see a poodle?

I'm using IE 11 and I do not see it.
Regards,

Edvard Ananyan - GTranslate Team

Please leave your feedback on your CMS plugin directory. It is very important for us!
Google Translate Joomla
Google Translate WordPress
Google Translate Drupal
Edvard
Site Admin
 
Posts: 4184
Joined: Mon Jun 28, 2010 1:54 pm
Location: Yerevan, Armenia

Re: Critical Security Issue SSLv3

Postby Ollie » Wed Mar 25, 2015 10:40 pm

Edvard, that's not the issue. It's not a matter of which browser the person is using. How many people are using the latest version of their browsers? And how many keep their browsers up to date? Have you ever asked yourself those questions? What I'm trying to say is that we cannot control which browser people are using or whether they have their browsers up to date, but we can make changes on our side to make the web a safer place. What are not understanding about my message? Why are you dragging your feet to fix your server and make it safer? It does have a vulnerability threat when accessed via Explorer 10 and possibly earlier versions. I'm disappointed at your company, after all the time I invested on this website only to find out in the end that there is a security issue and you're not doing much to fix it. I think the public should be aware of the risks involved with using a vulnerable server. As it is, Gtranslate is not safe. It is vulnerable to a Poodle attack. This is not the kind of customer service I expect from a reputable company. You still did not give me a timeframe for a fix. In the meantime, translation has been turned off on my website (because I care about my customers security). I think this is the right time to take action before more people learn about this issue and you start losing customers. Think about it!
Ollie
 
Posts: 16
Joined: Sat Jun 21, 2014 3:37 pm

Re: Critical Security Issue SSLv3

Postby Edvard » Wed Mar 25, 2015 10:58 pm

Ollie, you are taking it very seriously. I'm sure you do not even know what is poodle vulnerability. You just know that there is a vulnerability and that is enough for you to start blaming people.

I know what it is and I know that chances are about 0 to have a leak even if you use SSLv3 with our current configuration, since we block many concurrent requests which is required to be able to do a poodle attack.

I can only tell you that we are working on it, but it is not an easy task to do and it will take some time to make some tests before we bring it to our customers.

When I tell you that we are working on it, it means that we are taking actions to solve the possible issue. We knew about the issue before you learned about it, so I just want to ask you to be little bit more patient.

Thank you.
Regards,

Edvard Ananyan - GTranslate Team

Please leave your feedback on your CMS plugin directory. It is very important for us!
Google Translate Joomla
Google Translate WordPress
Google Translate Drupal
Edvard
Site Admin
 
Posts: 4184
Joined: Mon Jun 28, 2010 1:54 pm
Location: Yerevan, Armenia

Re: Critical Security Issue SSLv3

Postby Ollie » Wed Mar 25, 2015 11:05 pm

Thanks for the explanation. It doesn't matter whether I know what a Poodle attack is or not. An attack is an attack and presumably it's not something to look forward to. LOL... If you can guarantee me that there is a 0 % chance of an attack, I can live with that. I'm not trying to blame you for the vulnerability itself but for not responding in a satisfactory manner. And yes, internet security is serious business. And yes I do take it seriously and you should too, especially in your position running a company that offers a service that impacts, I presume, hundreds if not thousands of merchants. I suggest that you also make this issue public and disclose it to your customers. It's the right thing to do. Users should be aware of possible risks and what's being done about them. That way we can make informed decisions. I need to explore this issue further before deciding to turn translation back on. I appreciate any updates on this issue. Thanks.
Last edited by Ollie on Wed Mar 25, 2015 11:18 pm, edited 1 time in total.
Ollie
 
Posts: 16
Joined: Sat Jun 21, 2014 3:37 pm

Re: Critical Security Issue SSLv3

Postby Edvard » Wed Mar 25, 2015 11:09 pm

Ollie, what else I could tell you more that we are working on the issue, to make it a satisfactory?

The issue is in SSLv3 it is absolutely not related to GTranslate. I cannot shout louder than people who made SSL to let people know that there is an issue.

Thank you!
Regards,

Edvard Ananyan - GTranslate Team

Please leave your feedback on your CMS plugin directory. It is very important for us!
Google Translate Joomla
Google Translate WordPress
Google Translate Drupal
Edvard
Site Admin
 
Posts: 4184
Joined: Mon Jun 28, 2010 1:54 pm
Location: Yerevan, Armenia

Re: Critical Security Issue SSLv3

Postby Ollie » Wed Mar 25, 2015 11:14 pm

Wait a minute. The SSLv3 issue is definitely related, especially if someone tries to access GTranslate content using a browser that is vulnerable (like Internet Explorer 10) to an attack. I don't know much about the technicalities involved, but I was reading that the solution is to turn off SSLv3 protocol on your server. That seems pretty simple to me. Maybe you could take the time to explain what's so difficult about this. That would give me (and other concerned users) another measure of reassurance that you guys care about security.
Ollie
 
Posts: 16
Joined: Sat Jun 21, 2014 3:37 pm

Re: Critical Security Issue SSLv3

Postby Edvard » Wed Mar 25, 2015 11:31 pm

Ollie, we are working to disable SSLv3.

Thanks!
Regards,

Edvard Ananyan - GTranslate Team

Please leave your feedback on your CMS plugin directory. It is very important for us!
Google Translate Joomla
Google Translate WordPress
Google Translate Drupal
Edvard
Site Admin
 
Posts: 4184
Joined: Mon Jun 28, 2010 1:54 pm
Location: Yerevan, Armenia

Re: Critical Security Issue SSLv3

Postby Edvard » Thu Mar 26, 2015 1:16 am

Hi,

SSLv3 support has been disabled.

Thanks!
Regards,

Edvard Ananyan - GTranslate Team

Please leave your feedback on your CMS plugin directory. It is very important for us!
Google Translate Joomla
Google Translate WordPress
Google Translate Drupal
Edvard
Site Admin
 
Posts: 4184
Joined: Mon Jun 28, 2010 1:54 pm
Location: Yerevan, Armenia

Re: Critical Security Issue SSLv3

Postby Ollie » Thu Mar 26, 2015 1:34 am

Great. According to this website, all it takes is one line of code for nginx servers: https://zmap.io/sslv3/servers.html

Please let me know when it's done. Thank you, again.
Ollie
 
Posts: 16
Joined: Sat Jun 21, 2014 3:37 pm

Re: Critical Security Issue SSLv3

Postby Edvard » Thu Mar 26, 2015 1:35 am

Why you do not read my messages?
Regards,

Edvard Ananyan - GTranslate Team

Please leave your feedback on your CMS plugin directory. It is very important for us!
Google Translate Joomla
Google Translate WordPress
Google Translate Drupal
Edvard
Site Admin
 
Posts: 4184
Joined: Mon Jun 28, 2010 1:54 pm
Location: Yerevan, Armenia

Re: Critical Security Issue SSLv3

Postby Ollie » Thu Mar 26, 2015 1:42 am

Sorry, I was having trouble with this board. I posted again without realizing that there were additional comments on page 2. Good to know SSLv3 has been disabled. Thanks for your diligent work. Very much appreciated.
Ollie
 
Posts: 16
Joined: Sat Jun 21, 2014 3:37 pm

Re: [Solved] Critical Security Issue SSLv3

Postby Yana » Thu Mar 26, 2015 11:36 am

You are welcome! :)
Regards,

Yana Ghahramanyan - GTranslate Team

Please leave your feedback on your CMS plugin directory. It is very important for us!
Google Translate Joomla
Google Translate WordPress
Google Translate Drupal
Yana
 
Posts: 4135
Joined: Thu Jan 12, 2012 6:21 pm


  • Related Topics
    Replies
    Views
    Last post

Who is online

Users browsing this forum: No registered users and 0 guests

2GLux