Well the only thing new about POODLE versus previous known vulnerabilities is the way to manipulate the known vulnerability to gain the session cookie, which you can then re-use to log on to the site for yourself without needing to authenticate.
There's no such thing as a session cookie in IMAP, so I'd be very surprised to see it usable. That doesn't mean that IMAP/SSL3 is secure, it just means it's no less secure today than it was 10 years ago. https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html is really good description, read especially the bit above "The workaround". Hope this helps Geoff On 15 October 2014 17:03, <lst_ho...@kwsoft.de> wrote: > > Zitat von Geoff Winkless <cy...@geoff.dj>: > > > Genuine question: is it shown that POODLE impacts on IMAPS? >> >> I don't see how POODLE could affect an IMAPS session, since it only works >> if you can MITM a non-SSL session on the user's browser and force it to >> request the same target page over and over. >> >> Cheers >> >> Geoff >> > > As said i'm still reading on the details, so thanks for the pointer. > Nonetheless it might be time to give up on SSLv3 because of protocol design > errors/weakness. Unfortunately it looks like Cyrus can not disable SSLv3 > protocol without disabling ciphers also used in TLSv1.x, no? > > Regards > > Andreas > > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus >
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
