Community Discussions and Support
SSL 3.0 Vulnerability - POODLE Bug

I should have written something back in Oct 2014...

Pegasus Mail with the distributed OpenSSL binaries is vulnerable to the POODLE attack -- in theory, in practice no.

While other protocols (e.g., HTTPS) are more likely to be exploited by an active man-in-the-middle to downgrade
connections to SSLv3, that is a near impossibility with email protocols (i.e., POP3S, SMTPS, IMAPS).
In a web setting, the SSLv3 weakness can be exploited by a MITM attacker who repeatedly re-crafts client requests
to the server. On average this effort requires 256 requests per byte of data.

One may "drop-in" updated OpenSSL binaries in-place of those distributed with Pegasus Mail.
However since Pegasus does not employ the TLS_FALLBACK_SCSV mechanism, an attacker
can still force a protocol "downgrade dance".

If one has a need to absolutely disable the SSLv3 protocol, I've compiled  "openssl-1.0.2d-no-ssl23-win32-static-x86"
which has no SSLv2 or SSLv3 support.
http://www.guysalias.tk/misc/openssl/
(The file "openssl-1.0.2d-no-ssl23-win32-static-x86-tests.txt" shows SSLv2 and SSLv3 as unsupported,
TLSv1, TLSv1.1, and TLSv1.2 as supported cipher-suites).

 

<p>I should have written something back in Oct 2014... Pegasus Mail with the distributed OpenSSL binaries is vulnerable to the POODLE attack -- in theory, in practice no. While other protocols (e.g., HTTPS) are more likely to be exploited by an active man-in-the-middle to downgrade connections to SSLv3, that is a near impossibility with email protocols (i.e., POP3S, SMTPS, IMAPS). In a web setting, the SSLv3 weakness can be exploited by a MITM attacker who repeatedly re-crafts client requests to the server. On average this effort requires 256 requests per byte of data. One may "drop-in" updated OpenSSL binaries in-place of those distributed with Pegasus Mail. However since Pegasus does not employ the TLS_FALLBACK_SCSV mechanism, an attacker can still force a protocol "downgrade dance". If one has a need to absolutely disable the SSLv3 protocol, I've compiled  "openssl-1.0.2d-no-ssl23-win32-static-x86" which has no SSLv2 or SSLv3 support. <a href="http://www.guysalias.tk/misc/openssl/" title="OpenSSL Win32 Binaries" target="_blank" mce_href="http://www.guysalias.tk/misc/openssl/">http://www.guysalias.tk/misc/openssl/</a> (The file "openssl-1.0.2d-no-ssl23-win32-static-x86-tests.txt" shows SSLv2 and SSLv3 as unsupported, TLSv1, TLSv1.1, and TLSv1.2 as supported cipher-suites).</p><p> </p>

Is Pmail affected by the new SSL 3.0 Vulnerability – POODLE Bug?
Some privider want to disable SSL V3 in near future .
Does Pmail V4.7  support SSL V3.1-TLS 1.0 / TLS 1.1 / TLS 1.2 connections?  

Peggy  [W]

<p>Is Pmail affected by the new SSL 3.0 Vulnerability – POODLE Bug? Some privider want to disable SSL V3 in near future . Does Pmail V4.7  support SSL V3.1-TLS 1.0 / TLS 1.1 / TLS 1.2 connections?  </p><p>Peggy  [W] </p>

Has no one answered this question? I'm asking the same question ten months later (August 2015). Even slow Microsoft had a fix back in January, 2015.

Pegasus' built-in Help mentions using SSL v3 for SMTP and POP email connections. (Pmail v. 4.70 for Windows)

An email provider's server "should" no longer offer SSL v3. But, if one server does offer SSL v3, then will Pegasus use that insecure connection?

Relevant alerts re SSL v3:

from IETF:  https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

from NIST (in U.S.):  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

- John

 

<p>Has no one answered this question? I'm asking the same question ten months later (August 2015). Even slow Microsoft had a fix back in January, 2015. </p><p>Pegasus' built-in Help mentions using SSL v3 for SMTP and POP email connections. (Pmail v. 4.70 for Windows) </p><p>An email provider's server "should" no longer offer SSL v3. But, if one server does offer SSL v3, then will Pegasus use that insecure connection?</p><p>Relevant alerts re SSL v3: </p><p>from IETF:  https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00</p><p>from NIST (in U.S.):  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 </p><p>- John</p><p> </p>

My understanding is that SSL v3 support was maintained in Pegasus Mail v4.70 in order to function with Mercury until its update is released.  SSL v3 is not used by default but can be enabled if needed.

My understanding is that SSL v3 support was maintained in Pegasus Mail v4.70 in order to function with Mercury until its update is released.  SSL v3 is not used by default but can be enabled if needed.
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft