InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

People are seriously STILL letting SSLv2?????

https://forums.informaction.com/viewtopic.php?t=21659

Page 1 of 1

People are seriously STILL letting SSLv2?????

Posted: Tue Mar 01, 2016 6:00 pm
by barbaz
http://arstechnica.com/security/2016/03 ... on-attack/

Re: People are seriously STILL letting SSLv2?????

Posted: Tue Mar 01, 2016 9:19 pm
by therube
therube wrote:Only thing I'm not so clear on, is a non-SSL 2 client (say a current web browser) at risk when connecting to one of these vulnerable servers?

Re: People are seriously STILL letting SSLv2?????

Posted: Tue Mar 01, 2016 9:23 pm
by barbaz
My understanding is yes it is, but there is nothing said clients can do on their end about it.

Re: People are seriously STILL letting SSLv2?????

Posted: Wed Mar 02, 2016 3:07 am
by barbaz
http://www.dslreports.com/forum/r306164 ... -use-SSLv2

Re: People are seriously STILL letting SSLv2?????

Posted: Thu Mar 03, 2016 1:31 am
by Thrawn
therube wrote:Only thing I'm not so clear on, is a non-SSL 2 client (say a current web browser) at risk when connecting to one of these vulnerable servers?
Depends on what you mean by "at risk", but somewhat, yes.

The attacker basically records a large number of your TLS handshakes from the wire, and then gets the SSL2 server to decrypt them. Because SSL2 is just that broken. There's really nothing you can do about the general attack on the client end.

On the other hand, the more efficient attack, using JavaScript to make your browser quickly send off the necessary 1000-ish TLS handshakes - that can be killed off by NoScript.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited