People are seriously STILL letting SSLv2?????
People are seriously STILL letting SSLv2?????
*Always* check the changelogs BEFORE updating that important software!
-
Re: People are seriously STILL letting SSLv2?????
therube wrote:Only thing I'm not so clear on, is a non-SSL 2 client (say a current web browser) at risk when connecting to one of these vulnerable servers?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 SeaMonkey/2.39
Re: People are seriously STILL letting SSLv2?????
My understanding is yes it is, but there is nothing said clients can do on their end about it.
*Always* check the changelogs BEFORE updating that important software!
-
Re: People are seriously STILL letting SSLv2?????
*Always* check the changelogs BEFORE updating that important software!
-
Re: People are seriously STILL letting SSLv2?????
Depends on what you mean by "at risk", but somewhat, yes.therube wrote:Only thing I'm not so clear on, is a non-SSL 2 client (say a current web browser) at risk when connecting to one of these vulnerable servers?
The attacker basically records a large number of your TLS handshakes from the wire, and then gets the SSL2 server to decrypt them. Because SSL2 is just that broken. There's really nothing you can do about the general attack on the client end.
On the other hand, the more efficient attack, using JavaScript to make your browser quickly send off the necessary 1000-ish TLS handshakes - that can be killed off by NoScript.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0