Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: SSL 2.0 enabled or disabled?
From: "Dimitris Petropoulos" <D.Petropoulos () encode-sec com>
Date: Tue, 25 May 2004 12:32:24 +0300

The main security issues with SSL v2 are the following:

Downgrade attack: since SSL v2 does not cryptographically protect the
integrity of the handshake messages, an active attacker can modify
ClientHello and ServerHello messages to convince two interacting parties
to use weak ciphersuites even if both parties support strong encryption.

Truncation attack: SSL v2 does not use dedicated connection closure
alert messages but simply relies on TCP FINs to indicate the end of a
session making it therefore susceptible to truncation attacks via the
use of spoofed FINs.

Weak Message Authentication when export grade encryption is used: SSL v2
uses the same keys for encryption and message authentication. That means
that in cases where export grade cryptography (e.g. 40-bit) is used, the
integrity mechanism can be attacked via brute force just as easily as
the confidentiality mechanism. In SSL v3 these are separated and you can
have strong integrity even in the cases where weak encryption is used.

Hope this helps.

Best regards,

-----------------------
Dimitrios Petropoulos
MSc InfoSec, CISSP

Director, Security Research & Development
 
ENCODE S.A.
3, R.Melodou Str
151 25 Maroussi
Athens, Greece
Tel: +30210-6178410
Fax: +30210-6109579
web: www.encode-sec.com
------------------------
 

-----Original Message-----
From: James Bowman [mailto:jim () drexel edu]
Sent: Monday, May 24, 2004 5:59 PM
To: webappsec () securityfocus com
Subject: Re: SSL 2.0 enabled or disabled?


In-Reply-To: <20040519021346.E1E8F7274 () sitemail everyone net>

We have a fully patched MS server shop asking for specific
reasons why they should disable SSL V2 and PCT 1.0.



Yes, we're pushing the "less is best" approach WRT
unnecessary protocol support, but what else can we add to 
help with the justification?








******************************************************************
Any views expressed in this message are those of the
individual sender, except where the sender specifically
states them to be the views of ENCODE S.A.
******************************************************************


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]