Brace for impact (SSL vuln?)

Seems nothing is secure these days. It's getting pretty bad.

Seems every company is getting hacked left and right, and exploits are being found all over in highly used software... both probably related.
 
SSL 3.0 is obsolete. Only one cipher suite family in the standard is still reasonably secure (IDEA CBC) assuming the implementation has been patched for other vulnerabilities.

You'd have to go back to IE 6 on XP to get bit by this one.
 
devman, you obviously haven't set up many web servers or worked with the military :-D

Most servers still support the use of SSL 2.0/3.0, all you have to do on the client end is disable the newer ciphers and the web servers will be like "Sure buddy, let me revert back for ya" and in some corporations and environments those newer ciphers are just disabled for "compatibility" purposes. Also the clients will revert back if the web server doesn't support newer versions too. So either way from client or server side you can try to force any version you want.
 
Last edited:
Isin't SSL the defacto standard for HTTPS? Anything else would probably require some kind of special plugin no?
 
SSL was "replaced" by TLS

SSL 3.0 is pretty old (1996)

The latest version is TLS 1.2 (2008) with TLS 1.3 in Draft.
 
MysticRyuujin said:
devman, you obviously haven't set up many web servers or worked with the military :-D

Most servers still support the use of SSL 2.0/3.0, all you have to do on the client end is disable the newer ciphers and the web servers will be like "Sure buddy, let me revert back for ya" and in some corporations and environments those newer ciphers are just disabled for "compatibility" purposes. Also the clients will revert back if the web server doesn't support newer versions too. So either way from client or server side you can try to force any version you want.
Click to expand...

Even by legacy standards SSL 3.0 hasn't been sufficient since RC4 was broken last year. I realize there will always be outliers though.
 
Last edited:
MysticRyuujin said:
SSL was "replaced" by TLS

SSL 3.0 is pretty old (1996)

The latest version is TLS 1.2 (2008) with TLS 1.3 in Draft.
Click to expand...

Oh I always though TLS was just a type of SSL, so it's not affected then? I think that's the default that is created when you generate certs. I just checked an old self signed cert and it says TLS, so guess that's safe.
 
The point is, you need to make sure that your applications don't fall back to the old SSL.
 
You can disable SSL 3.0 no problem IF you don't mind leaving IE6 users in the dust. If your page is accessible through normal HTTP, you can use a banner such as that provided by https://www.ie6nomore.com/ to inform users that they will not be able to use your site (or at least not encryption). Though - hey - SSL 3.0 still beats nothing. You just don't want to let IE6 users in if the data is truly sensitive.

For those using IIS, the task is relatively simple with this good piece of freeware: https://www.nartac.com/Products/IISCrypto/ - click the "Best Practices" button and you're pretty much done. You can disable the 3DES OR RC4 (not both) cipher suite at the bottom of the list and perhaps the 3DES OR RC4 cipher itself, but you may want to keep RC4 if you prioritize older client support over data security. You can't do AES ciphers in IE in WinXP, even if you use IE7 or IE8. So WinXP users MUST use an alternative browser for high security. You can and should disable all the RC* ciphers below 128 bits as well as all RC2 and DES ciphers as well as the NULL cipher. I have the following ciphers enabled: RC4 128/128 (for those XP users - I wish I could disable it), 3DES 168/168, AES 128/128, and AES256/256.

For info about browser and crypto-library support, check out these 2 Wikipedia links:
https://en.wikipedia.org/wiki/Transport_Layer_Security
https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
 
Last edited:
dandragonrage said:
You can disable the 3DES cipher suite at the bottom of the list and perhaps the 3DES cipher itself, but you may want to keep RC4 if you prioritize older client support over data security. You can't do AES ciphers in IE in WinXP, even if you use IE7 or IE8. So WinXP users MUST use an alternative browser for high security. You can and should disable all the RC* ciphers below 128 bits as well as all RC2 and DES ciphers as well as the NULL cipher. I have the following ciphers enabled: RC4 128/128 (for those XP users - I wish I could disable it), 3DES 168/168, AES 128/128, and AES256/256.
Click to expand...


3DES CBC should be preferred to RC4, and is supported by IE6 (which means you can disable RC4) if you need to support legacy clients. 3DES CBC is weaker than AES but it isn't broken like RC4 is.

dandragonrage said:
Though - hey - SSL 3.0 still beats nothing.
Click to expand...

I disagree, security theater is worse than no security.
 
devman said:
I disagree, security theater is worse than no security.
Click to expand...

No. The user isn't going to know or care about the security setup. They should, but they won't. There is no fooling them into thinking they're secure when they're not, because they aren't going to think about security at all. Would you rather the external doors on your home have no locks or low-quality ones that can easily be picked (which most homes do actually have - grade 3 locks are garbage)? I'd take the crappy locks, please and thanks. (But I'm not an idiot, so I do purchase grade 1 locks, period.)

As far as I was aware, 3DES was supposed to also be broken? Eh, maybe I'm just thinking of how people distrust it for not being anywhere near 168 bits in actuality. In any case, both are pretty crappy and it sucks to have to support IE on XP at all.

Edit: Did some reading and apparently a lot of the recommendations (including over the past year) for RC4 have mainly been because 3DES is slow. This is stupid. I'm going to give 3DES a try with RC4 disabled now.
 
Last edited:
You must log in or register to reply here.
Back
Top