[WEB SECURITY] Question on SSL

Steve Pinkham steve.pinkham at gmail.com
Fri Nov 7 09:10:34 EST 2008 

y3iQK0zNbyomSy2w y3iQK0zNbyomSy2w wrote:
> Hi,
> 
> I'm trying to learn more about SSL/TLS, hope you guys can help me with 
> question below.
> 
> What is the implications of enabling SSLv2 on a web server, along with 
> the more secure ones like SSLv3 and TLSv1?
> 
> Thanks
> -- 
> Toho

SSLv2 has a number of flaws, most notably the cypher roll-back issues.
A MITM can downgrade a SSLv2 connection to the lowest security cypher 
supported by the server, usually a very weak 40 bit encryption, 
sometimes null encryption or a somewhat stronger 56bit cypher.
With readily available and relatively cheap ($10K US) hardware, you can 
break 40 bit in a few seconds, and 56 bit in a couple of days.  The null 
cypher obviously takes no time to crack.  See http://www.copacobana.org/ 
for one example of the sort of cracking hardware available at the 
moment(for sale or rent).  GPU or CPU based crackers will also do the 
job cheaper if you're more patient.

This attack is largely mitigated by the fact that IE 7, Firefox 2, 
Safari, and Opera 9 and later versions of the above mentioned browsers 
either no longer support SSLv2 or have support for it turned off by 
default.  However, IE 6 still has a large(~30%) market share, and is 
still the standard in many large organizations concerned about 
compatibility with legacy webapps.  When IE6 finally dies(hopefully 
quickly and gruesomely) this issue largely dies with it.

Wikipedia has good overview of many of the issues in SSL:
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list