Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » POODLE attack: is Kerio Connect affected? (SSL version 3.0 is no longer secure)
  •  
pillar

Messages: 8
Karma: 0
Send a private message to this user
Does anyone know, to what extent Kerio Connect is affected by the vulnerability in the design of SSL version 3.0, which was reported by the Google Online Security Blog yesterday? And if there is a safety issue: how can it be reduced or eliminated?
  •  
Pavel Dobry (Kerio)

Messages: 5163
Karma: 245
Send a private message to this user
Yes. All products using OpenSSL library are affected, including Kerio products.
You can find more information at http://tinyurl.com/KerioPoodle

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
pillar

Messages: 8
Karma: 0
Send a private message to this user
1. Why does Kerio Tech not inform its customers proactively? Why do I need to ask at all? Since customers are required to update the licensing periodically, Kerio Tech's sales department should be aware of each customer's contact details.

2. When can the patch be expected?
  •  
Bud Durland

Messages: 365
Karma: 38
Send a private message to this user
Pavel Dobry (Kerio) wrote on Wed, 15 October 2014 15:10
Yes. All products using OpenSSL library are affected, including Kerio products.
You can find more information at http://tinyurl.com/KerioPoodle


If I perform the workarounds as described in the above URL, how will that affect users that have Outlook & the kerio OffLine connector installed, or mobile users who are accessing the server using ActiveSync? This describes about 95% of my users.


  •  
Pavel Dobry (Kerio)

Messages: 5163
Karma: 245
Send a private message to this user
It depends on what clients you use. If they don't support TLS 1.1 they cannot connect to the server.

Honestly, my recommendation is to wait for our patch. Disabling SSL 3.0 and TLS 1.0 causes compatibility problem with many clients. Poodle vulnerability is a hype now (funny that once you give it a "name" it sounds more serious than it really is) but in fact exploit is very, very difficult. The only result of it is that the client starts using SSL 3.0. Most of email clients and even browsers use SSL 3.0 or TLS 1.0 now. Both are vulnerable to BEAST attack regardless Poodle. And the only real solution is to use TLS 1.1 and higher (enabling weak RC4 ciphers as a workaround for BEAST attack makes it worse in my opinion).

[Updated on: Thu, 16 October 2014 00:37]


Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Previous Topic: Using Kerio connect with Outlook 2013
Next Topic: Rename Default Emailadress
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Feb 23 12:46:51 CET 2017

Total time taken to generate the page: 0.09147 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.