SSL 3.0 discovered to be insecure to a man-in-the-middle attack

  • -

SSL 3.0 discovered to be insecure to a man-in-the-middle attack

SSL v3.0 has been found to be insecure to a
man-in-the-middle attack, allowing the plaintext of secure connections
to be calculated by a network attacker.

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Innovice-IT is partner of KeyTalk (http://keytalk.com). KeyTalk prevents man in the middle attacks at a very smart way with Device DNA and short living certificates. This prevents a load of key management for your helpdesk and keeps the login’s safe. We are able to facilitate a proof of concept for your company. Please contact us for more information.


About Author

Tamara Eikelenboom-Kamp

Tamara Eikelenboom-Kamp

Tamara Eikelenboom-Kamp is managing director at Innovice-IT. She is mainly publishing about CyberSecurity. She is working with several specialists based on their knowledge and skills in cyber-security and cyber-safety. The emphasis is on conceptual thinking, developing plans, innovative software or innovative methods. The main activities of Innovice-IT are Cyber Security Consulting, Penetration Testing and Secure Managed Hosting.

Search

Innovice-IT on Twitter

  1. Bas Eikelenboom
    Bas Eikelenboom: RT @InfoSecHotSpot: Unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20 percent from 1.5 million in 2015, accordin…

  2. Bas Eikelenboom

  3. Bas Eikelenboom
    Bas Eikelenboom: RT @RidT: A few observations on today's "online escalation" New York Times story. I see lots of people making assumptions and jumping to co…

  4. Bas Eikelenboom
    Bas Eikelenboom: RT @bellingcat: Bellingcat's @Timmi_Allen put together the following video demonstrating how various images of the Kokuka Courageous match…

  5. Bas Eikelenboom
    Bas Eikelenboom: RT @InfoSecHotSpot: AI and 5G will create an explosion in cybersecurity risks, says FBI agent and general counsel at $50 billion firm https…

Archive

Categories