People are seriously STILL letting SSLv2?????

Post by **barbaz** » Tue Mar 01, 2016 6:00 pm

http://arstechnica.com/security/2016/03 ... on-attack/

Post by **therube** » Tue Mar 01, 2016 9:19 pm

therube wrote:Only thing I'm not so clear on, is a non-SSL 2 client (say a current web browser) at risk when connecting to one of these vulnerable servers?

Post by **barbaz** » Tue Mar 01, 2016 9:23 pm

My understanding is yes it is, but there is nothing said clients can do on their end about it.

Post by **barbaz** » Wed Mar 02, 2016 3:07 am

http://www.dslreports.com/forum/r306164 ... -use-SSLv2

Post by **Thrawn** » Thu Mar 03, 2016 1:31 am

therube wrote:Only thing I'm not so clear on, is a non-SSL 2 client (say a current web browser) at risk when connecting to one of these vulnerable servers?

Depends on what you mean by "at risk", but somewhat, yes.

The attacker basically records a large number of your TLS handshakes from the wire, and then gets the SSL2 server to decrypt them. Because SSL2 is just that broken. There's really nothing you can do about the general attack on the client end.

On the other hand, the more efficient attack, using JavaScript to make your browser quickly send off the necessary 1000-ish TLS handshakes - that can be killed off by NoScript.

InformAction Forums

People are seriously STILL letting SSLv2?????

People are seriously STILL letting SSLv2?????

Re: People are seriously STILL letting SSLv2?????

Re: People are seriously STILL letting SSLv2?????

Re: People are seriously STILL letting SSLv2?????

Re: People are seriously STILL letting SSLv2?????