Tuesday, November 18, 2014

The POODLE Exploit and CopiaFacts E-Mail

This posting affects only early adopters of CopiaFacts version 8.2, and then only those who
  • use SSL/TLS to log in securely to their own ISP or corporate mailserver to send CopiaFacts e-mail (the 'via ISP' option), or
  • use SSL/TLS with version 8.2 of EMDIRECT, which sends system notifications via a specified mail server.

The POODLE exploit renders the old SSL 3.0 authentication mechanism insecure, and should not be used unless the server you are connected to does not support the more modern TLS authentication.

In 8.2 builds up to build 8.2.0.42, CopiaFacts allowed authenticated connection using any SSL or TLS version supported by the server.  In 8.2.0.42, as soon as the implications of POODLE became apparent, we changed the default so that only TLS is allowed, but provided an override to enable SSL 3.0.

From build 8.2.0.43, CopiaFacts begins a secure e-mail transmission by using TLS only, but if the server connection fails, we automatically drop back to allow SSL, but using a fallback mode which is designed to prevent the POODLE exploit from intercepting the transmission.  The override option to allow basic SSL 3.0 has been removed.

The default CopiaFacts e-mail uses MX lookup and connection to the recipient's mail server.  Authentication is not used in this case and the considerations of this posting do not apply.  SSL/TLS is not used in CopiaFacts 8.1 or earlier so these versions are also not affected.

No comments: