[Solved] Critical Security Issue SSLv3

[Ollie]

A friend of mine, who's also an online merchant, brought to my attention that the translation portion of my website (hosted by GTranslate) is vulnerable to a Poodle attack. According to Edvard Ananyan from GTranslate, "all the up to date browsers do not use SSLv"3". I ran a test on https://www.poodletest.com/ using Internet Explorer and found out that IE is vulnerable. The two other browsers I tested (Chrome and Firefox) are not vulnerable, according to the test results. I wonder what other users think about this and what GTranslate has to say about this issue. My request to get the problem fixed ASAP has so far been fruitless. And by the way I use the latest version of Explorer and as far as I'm concerned, my browser is up to date. For those wanting to test any server's vulnerability, this is a good starting point: https://www.whynopadlock.com

PS: I have disabled translation on my website pending a quick resolution by GTranslate. If this is going to take a long time then it's reasonable to expect them not to charge me for a service I'm not using.

[Edvard]

Hi,

What is your IE version?

Thanks!

[Ollie]

IE version 10. The browser version is not very relevant as it is something we merchants cannot control. But we can control our server side by eliminating potential threats. I have disabled translation from my website pending a prompt resolution by your company.

[Edvard]

So when you open poodletest.com on your IE 10 you see a poodle?

I'm using IE 11 and I do not see it.

[Ollie]

Edvard, that's not the issue. It's not a matter of which browser the person is using. How many people are using the latest version of their browsers? And how many keep their browsers up to date? Have you ever asked yourself those questions? What I'm trying to say is that we cannot control which browser people are using or whether they have their browsers up to date, but we can make changes on our side to make the web a safer place. What are not understanding about my message? Why are you dragging your feet to fix your server and make it safer? It does have a vulnerability threat when accessed via Explorer 10 and possibly earlier versions. I'm disappointed at your company, after all the time I invested on this website only to find out in the end that there is a security issue and you're not doing much to fix it. I think the public should be aware of the risks involved with using a vulnerable server. As it is, Gtranslate is not safe. It is vulnerable to a Poodle attack. This is not the kind of customer service I expect from a reputable company. You still did not give me a timeframe for a fix. In the meantime, translation has been turned off on my website (because I care about my customers security). I think this is the right time to take action before more people learn about this issue and you start losing customers. Think about it!

[Edvard]

Ollie, you are taking it very seriously. I'm sure you do not even know what is poodle vulnerability. You just know that there is a vulnerability and that is enough for you to start blaming people.

I know what it is and I know that chances are about 0 to have a leak even if you use SSLv3 with our current configuration, since we block many concurrent requests which is required to be able to do a poodle attack.

I can only tell you that we are working on it, but it is not an easy task to do and it will take some time to make some tests before we bring it to our customers.

When I tell you that we are working on it, it means that we are taking actions to solve the possible issue. We knew about the issue before you learned about it, so I just want to ask you to be little bit more patient.

Thank you.

[Ollie]

Thanks for the explanation. It doesn't matter whether I know what a Poodle attack is or not. An attack is an attack and presumably it's not something to look forward to. LOL... If you can guarantee me that there is a 0 % chance of an attack, I can live with that. I'm not trying to blame you for the vulnerability itself but for not responding in a satisfactory manner. And yes, internet security is serious business. And yes I do take it seriously and you should too, especially in your position running a company that offers a service that impacts, I presume, hundreds if not thousands of merchants. I suggest that you also make this issue public and disclose it to your customers. It's the right thing to do. Users should be aware of possible risks and what's being done about them. That way we can make informed decisions. I need to explore this issue further before deciding to turn translation back on. I appreciate any updates on this issue. Thanks.

[Edvard]

Ollie, what else I could tell you more that we are working on the issue, to make it a satisfactory?

The issue is in SSLv3 it is absolutely not related to GTranslate. I cannot shout louder than people who made SSL to let people know that there is an issue.

Thank you!

[Ollie]

Wait a minute. The SSLv3 issue is definitely related, especially if someone tries to access GTranslate content using a browser that is vulnerable (like Internet Explorer 10) to an attack. I don't know much about the technicalities involved, but I was reading that the solution is to turn off SSLv3 protocol on your server. That seems pretty simple to me. Maybe you could take the time to explain what's so difficult about this. That would give me (and other concerned users) another measure of reassurance that you guys care about security.

[Edvard]

Ollie, we are working to disable SSLv3.

Thanks!

[Edvard]

Hi,

SSLv3 support has been disabled.

Thanks!

[Ollie]

Great. According to this website, all it takes is one line of code for nginx servers: https://zmap.io/sslv3/servers.html

Please let me know when it's done. Thank you, again.

[Edvard]

Why you do not read my messages?

[Ollie]

Sorry, I was having trouble with this board. I posted again without realizing that there were additional comments on page 2. Good to know SSLv3 has been disabled. Thanks for your diligent work. Very much appreciated.

[Yana]

You are welcome!