CloudFront 對 POODLE 的安全性更新

CloudFront 的進一步更新出來了,剛剛看到信件通知。分成兩種 case,一種是使用 dedicated IP 服務的人,一種是使用 *.cloudfront.net 的人。

使用 dedicated IP 的人仍然可以打開 SSLv3,不過 CloudFront 建議在 use case 允許下不要開:

If you are using the Dedicated IP Custom SSL Certificates to serve SSL traffic, you may configure whether your distribution accepts SSLv3 connections. We have added an option to select this in both the console and the API. For existing distributions that use Dedicated IP Custom SSL, the default value for this new setting will be to allow SSLv3, so you will need to update your distributions if you want to disallow SSLv3. We do recommend that customers disable SSLv3 if their use case allows it.

使用 *.cloudfront.net 預定在 2014/11/03 之後就會關閉 SSLv3:

Additionally, starting on November 3rd, 2014, we will begin disabling SSLv3 for ALL customers who use SSL with the default CloudFront domain name (*.cloudfront.net). If you believe that this policy will negatively affect your website or application, please contact us as soon as possible so that we can discuss your options: https://aws.amazon.com/forms/poodle_sslv3

而使用 SNI 的人不需要管這件事情,因為這代表你已經是用 TLS 了:

If you're using Custom SSL Certificates and Server Name Indication (SNI), you don’t need to take any action because, as SNI-Only Custom SSL distributions already did not allow SSLv3 connections.

Leave a Reply

Your email address will not be published. Required fields are marked *