People are seriously STILL letting SSLv2?????

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

People are seriously STILL letting SSLv2?????

Post by barbaz » Tue Mar 01, 2016 6:00 pm

*Always* check the changelogs BEFORE updating that important software!
-

User avatar
therube
Ambassador
Posts: 7409
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: People are seriously STILL letting SSLv2?????

Post by therube » Tue Mar 01, 2016 9:19 pm

therube wrote:Only thing I'm not so clear on, is a non-SSL 2 client (say a current web browser) at risk when connecting to one of these vulnerable servers?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 SeaMonkey/2.39

barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

Re: People are seriously STILL letting SSLv2?????

Post by barbaz » Tue Mar 01, 2016 9:23 pm

My understanding is yes it is, but there is nothing said clients can do on their end about it.
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

Re: People are seriously STILL letting SSLv2?????

Post by barbaz » Wed Mar 02, 2016 3:07 am

*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: People are seriously STILL letting SSLv2?????

Post by Thrawn » Thu Mar 03, 2016 1:31 am

therube wrote:Only thing I'm not so clear on, is a non-SSL 2 client (say a current web browser) at risk when connecting to one of these vulnerable servers?

Depends on what you mean by "at risk", but somewhat, yes.

The attacker basically records a large number of your TLS handshakes from the wire, and then gets the SSL2 server to decrypt them. Because SSL2 is just that broken. There's really nothing you can do about the general attack on the client end.

On the other hand, the more efficient attack, using JavaScript to make your browser quickly send off the necessary 1000-ish TLS handshakes - that can be killed off by NoScript.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0

Post Reply