[QUOTE=ewmayer;385289]And let's not forget to give credit where credit is due:
[QUOTE]SSL 3.0 is still used because Internet Explorer 6, which shipped with Microsoft Windows XP and had a five-year reign as Microsoft's flagship browser, is still used. IE6 can't use SSL 3.0's successor, TLS 1.0. Hence, millions of Web servers keep SSL 3.0 alive just so that millions of Windows XP users who never upgraded to IE 7 or IE 8 can see those sites.[/QUOTE]
Thanks, MSFT, first for giving us history's crappiest 64-bit OS rollout - the reason I insisted on XP in the Lenovo laptop I bought in 2008 and never considered upgrading - and for helping to promulgate an apparently unpatchable-in-situ security bug due to shitty crypto. If I didn't know better I might think MSFT is deliberately releasing such stuff to make life easier for its government-spook pals, but fortunately I'm not that cynical.[/QUOTE]IE6 is actively causing harm and misery to the larger population. Eradicating it requires a Herculean effort like that of smallpox eradication. Perhaps we need a digital World Health Organization, border inspections upon crossing over to Microsoft, etc.

[QUOTE=retina;385301]My FF 3.6.28 has:

security.enable_ssl3[/QUOTE]
Our firefox version has a tickbox:
Edit->Preferences->Advanced->Encryption->Use SSL 3.0

[URL="https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/"]Mozilla Security Blog: The POODLE Attack and the End of SSL 3.0[/URL][QUOTE]SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25. The code to disable it is landing today in Nightly, and will be promoted to Aurora and Beta in the next few weeks. This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3.

As an additional precaution, Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV. If this is supported by the server, it prevents attacks that rely on insecure fallback.

Additional Precautions

For Firefox users, the simplest way to stay safe is to ensure that Firefox is configured to automatically update. Look under Preferences / Advanced / Update and make sure that “Automatically install updates” is checked.

For users who don’t want to wait till November 25th (when SSLv3 is disabled by default in Firefox 34), we have created the [URL="https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/"]SSL Version Control[/URL] Firefox extension to disable SSLv3 immediately.[/QUOTE]
Read the comments that follow this linked blog entry. Twiddling settings might not work that well. The SSL Version Control extention might be better. Also, the following link was in a comment for testing vulnerability:
[url]https://www.poodletest.com/[/url]

[QUOTE=Nick;385313]Our firefox version has a tickbox:
Edit->Preferences->Advanced->Encryption->Use SSL 3.0[/QUOTE]3.6.28 has this: Tools->Options->Advanced->Encryption->Use SSL 3.0 - but it is hard find with all that pointing and [strike]dicking[/strike] clicking around. So much easier to type ssl3 in the config page.

[QUOTE=retina;385301]My FF 3.6.28 has:

security.enable_ssl3[/QUOTE]

Thanks - I froze my FF version at 22 on my Mac due to the image-rendering-always-on "feature" introduced in v23 (and yes, I know there is an add-on to return image-on/off control to the user; I use that on my WinXP notebook, where I inadvertently upgraded from v22 to v30+ a few months ago), but v22 has the same menu option; toggled it to "false". But note:

[QUOTE=Nick;385313]Our firefox version has a tickbox:
Edit->Preferences->Advanced->Encryption->Use SSL 3.0[/QUOTE]

after toggling the above about::config item I also checked the status of this checkbox - it was still checked. In other words, either there are separate underlying bools at work here (which would be bizarre, but not unheard-of), or the checkbox does not properly "live update" its status based on the value of security.enable_ssl3. So I unchecked it just to be sure.

Thx for the tips, guys.

[QUOTE=only_human;385316]Read the comments that follow this linked blog entry. Twiddling settings might not work that well. The SSL Version Control extention might be better. Also, the following link was in a comment for testing vulnerability:
[url]https://www.poodletest.com/[/url][/QUOTE]

Turned image-rendering on, loaded the no-JS version of the latter page, but even after 2 solid minutes and a page reload, no image appeared. Ah, well. Testing dubious fixes for broken software with more broken software...

Edit: This alternate "test your Poodle vulenerability" site memtioned in the user comments for the above blog post works for me, and confirms "not vulnerable":

[url]https://dev.ssllabs.com/ssltest/viewMyClient.html[/url]

(It seems you must enable JS for this to work, though.)

.

Hehe, thanks for those files. Nostalgia of the pre-GPS era... Around NICT (Tokyo), the signal was so strong that the watches didn't need battery, for a quite long distance. They worked extracting "the parasitic" energy from the ~40kHz signal (LCD watches, not those with handles and coil inside). We used to produce some of those watches in China, for the Japanese market, in '98-'99. I remember a funny story in Romanian newspapers around 2003 or so. After the communism went down, many guys willing to get rich over night went west, or everywhere around the globe, and bought cheap "capitalist stuff" that couldn't (yet) be bought locally, and came back to sell it for higher prices. It took them a while (from 1990) to reach Japan, but eventually they did, and some of them brought back suitcases full of watches which "are always perfectly accurate, never slower, and never faster", thinking of making a lot of money by selling them. You could buy them for nothing in China and Japan. The drama was that the watches, when they woke up in Europe and put their nose out of the suitcase, didn't want to work at all. Mainflingen (the German counterpart) was too far (and anyhow the signal was 77kHz, not optimal to extract any energy from it) and in general there was no long-wave transmitters around, it was the time when (after the radio frequencies were opened to public use; previously under the communist government they were state-monopoly) every radio station in the country went short wave. [edit: with a 40kHz radio signal around, if you could make one in the lab, the clocks still could work, but they showed not very accurate times, as they couldn't "understand" the synchro part, only get the energy from the carrier signal].

I laugh for days imagining the guys with a suitcase full of small wrist watches which show nothing on the LCD...
One guy even wanted to sue the airline, because he thought that the watches suffered some damages during transportation. :rofl:

[url]http://www.rotten.com/library/conspiracy/press-your-luck/[/url]

[url]http://en.wikipedia.org/wiki/Michael_Larson[/url]

1959 Asimov paper written for DARPA about fostering creativity finally sees the light of day.

[url]http://www.technologyreview.com/view/531911/isaac-asimov-mulls-how-do-people-get-new-ideas/[/url]

[url]http://www.openculture.com/2014/10/what-happens-when-you-take-a-nobel-prize-through-airport-security-2.html[/url]
[quote]“They’re like, ‘Sir, there’s something in your bag.’
I said, ‘Yes, I think it’s this box.’
They said, ‘What’s in the box?’
I said, ‘a large gold medal,’ as one does.
So they opened it up and they said, ‘What’s it made out of?’
I said, ‘gold.’
And they’re like, ‘Uhhhh. Who gave this to you?’
‘The King of Sweden.’
‘Why did he give this to you?’
‘Because I helped discover the expansion rate of the universe was accelerating.’
At which point, they were beginning to lose their sense of humor. I explained to them it was a Nobel Prize, and their main question was, ‘Why were you in Fargo?’”[/quote]
In the late 1930s several nobelists working in Germany dissolved their medals in aqua regia in order to not fall afoul of the Nazi gold-confiscation laws. The medals spent the war as innocuous-looking black solutions in glass reagent bottles on the shelf of a chem lab. After the war the Nobel foundation recast them - the story does not say whether from the precipitated solutions or from "new gold" - and restored them to their owners.