A team of researchers at Google have found vulnerabilities in SSL 3.0 that could allow someone on the same network to launch an "in the middle" attack using JavaScript and eventually steal session cookies. At the moment this isn't considered high-risk but potentially this is a problem for Draytek products if management is done over a public WiFi hotspot; it may be possible for an attacker to gain access to the administrator interface. Nowhere near an expert on the subject and I don't want to scare-monger over this so I want to raise a discussion over potential impact.

This is pretty much the beginning of the end for SSL 3.0 which has been around since 1996 (!). Firefox 34, due November 2014, will disable SSL 3.0 by default and the research team is supposedly recommending disabling SSL 3.0 altogether. I bet TLS 1.0 won't be far behind too as that is supposedly not much different from SSL 3.0.

Further reading:
https://technet.microsoft.com/en-us/library/security/3009008.aspx
http://www.theregister.co.uk/2014/10/16/poodle_analysis/

I tried disabling SSL3.0 in Internet Explorer 11 and found that Draytek 2820 uses no higher than SSL 3.0 in firmware 3.3.7.5 with HTTPS encryption mode set to "high". As this is an old product I don't think that this will be upgraded to support TLS 1.0/1/2.

Also have a 120 v2 on site but as it's in production I don't want to pull it to test.

There is a statement from draytek about SSL
http://www.forum.draytek.co.uk/viewtopic.php?f=5&t=19278
unless (seems) this is a new issue, then i don't know, keep an eye because Draytek should make a statement soon or if some products are affected i am sure some action will be taken

It's a new issue. It seems lately the white-hat hackers (the good guys...I think that's the right word) are working harder than the bad guys, which is good. DrayTek are investigating this. Even if it's low-risk/unlikely/theoretical only, they will examine even a potential/unlikely risk and make modifications or issue advice if appropriate. It will take a few days to conduct and complete the proper assessment.

Having read this post and thought that there had been no announcement yet and later found this

http://www.draytek.com/index.php?option=com_k2&view=item&id=5533&Itemid=293&lang=en

I thought I would update this thread for anyone else looking

Jon

I updated the firmware on my 2820 from 3.3.5.2 to 3.3.7.5 as the release notes state that the new firmware includes a fix for the SSL issue. The payback was that it totally stuffed the VPN connections - they would not pass data and would drop/reconnect every 30-40 seconds. I had to downgrade to 3.3.5.2 to get everything working again.

Anyone have any idea when the updated firmwares are going to be available? I have a 2850 that I cannot control from Firefox since I updated it to v34.0. I appreciate that it is probably quite a big job to replace SSL with TLS, but it would be great to get some idea of ETA.

Hope it also fixes my problem with Syslog which has basically stopped logging events to a USB drive.