Penetration Testing mailing list archives

RE: verify HTTPS 'vulnerabilities'

From: "Todd Towles" <toddtowles () brookshires com>
Date: Tue, 26 Jul 2005 16:02:41 -0500

Would SSLDigger from Foundstone not work? For at least part of the
testing?

-----Original Message-----
From: Thomas Springer [mailto:tuevsec () gmx net] 
Sent: Tuesday, July 26, 2005 10:28 AM
To: pen-test () securityfocus com
Cc: Dan Rogers
Subject: Re: verify HTTPS 'vulnerabilities'

Dan Rogers wrote:

List,

Simple question:

I have a report from Nessus telling me that a web server is

offering

'export class' cyphers for it's SSL/TLS service. Nessus

also managed

to obtain an internal IP address from the host (which is correct).
Only HTTPS is open.


i put an https-check based on openssl online at 
http://serversniff.net that tells you about certs and allowed 
ciphers on your https-server.

tom

Current thread:

verify HTTPS 'vulnerabilities' Dan Rogers (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Daniel Grzelak (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Omar Herrera (Jul 21)
- Re: verify HTTPS 'vulnerabilities' Thomas Springer (Jul 26)
- Re: verify HTTPS 'vulnerabilities' Michael Sierchio (Jul 26)
- <Possible follow-ups>
- RE: verify HTTPS 'vulnerabilities' Jarmon, Don R (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Jordan Del-Grande (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Carl (Jul 22)
- RE: verify HTTPS 'vulnerabilities' Todd Towles (Jul 26)