SSL 3.0 discovered to be insecure to a man-in-the-middle attack

  • -

SSL 3.0 discovered to be insecure to a man-in-the-middle attack

SSL v3.0 has been found to be insecure to a
man-in-the-middle attack, allowing the plaintext of secure connections
to be calculated by a network attacker.

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Innovice-IT is partner of KeyTalk (http://keytalk.com). KeyTalk prevents man in the middle attacks at a very smart way with Device DNA and short living certificates. This prevents a load of key management for your helpdesk and keeps the login’s safe. We are able to facilitate a proof of concept for your company. Please contact us for more information.


About Author

Tamara Eikelenboom-Kamp

Tamara Eikelenboom-Kamp

Tamara Eikelenboom-Kamp is managing director at Innovice-IT. She is mainly publishing about CyberSecurity. She is working with several specialists based on their knowledge and skills in cyber-security and cyber-safety. The emphasis is on conceptual thinking, developing plans, innovative software or innovative methods. The main activities of Innovice-IT are Cyber Security Consulting, Penetration Testing and Secure Managed Hosting.

Search

Innovice-IT on Twitter

  1. Bas Eikelenboom
    Bas Eikelenboom: RT @Miltenburg_14: Sinterklaas helpen gestolen pakjes naar de kinderen terug te brengen #Sinterklaas #dankbaar #blijekinderen @PolitieUtrec

  2. Bas Eikelenboom
    Bas Eikelenboom: RT @Byte_Fighter: De politiechatbot Wout is actief! @Politie https://t.co/NInnWbzWdj

  3. Bas Eikelenboom
    Bas Eikelenboom: RT @UID_: Now all DNS goes via CloudFlare too. This thread is only getting longer, what the F are we doing?! When can I stop quoting this t…

  4. Bas Eikelenboom
    Bas Eikelenboom: RT @InfoSecHotSpot: Unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20 percent from 1.5 million in 2015, accordin…

  5. Bas Eikelenboom

Archive

Categories