WebApp Sec mailing list archives
RE: SSL Ciphers
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Sat, 1 Apr 2006 15:13:55 +1100
In November 2005 last year, I was involved in a cycle of testing on a pre-production server. One NULL cipher mode was enabled, along with a bunch of 'export' grade cipher modes. Needless to say, this was indicative of the overall state of coding and configuration on the system. The service eventually did go live about 3 months late, without much more security testing occuring due to money problems. Shudder. Lyal -----Original Message----- From: pagvac [mailto:unknown.pentester () gmail com] Sent: Friday, 31 March 2006 12:47 AM To: webappsec () securityfocus com Subject: SSL Ciphers I was wondering if any of you can give me some decent links on the topic of SSL ciphers and different strengths that can be supported by web servers. Basically I'm interested in the following: - the so called "null ciphers" (which provide *no* encryption at all). These are mainly NULL-MD5 and NULL-SHA. How often are these found to be supported by web servers? - client side technologies that allow you to *downgrade* the cipher used by a web browser (Active X?) - hardening guidelines that illustrate how to disable weak ciphers from popular web servers such as Apache and IIS I personally found useful the white paper by Foundstone that comes with their "SSL Digger" tool which is used to find out the different ciphers supported by a web server. Related links: http://www.openssl.org/docs/apps/ciphers.html http://www.foundstone.com/resources/termsofuse.htm?file=ssldigger.zip -- pagvac [http://ikwt.com] ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl -------------------------------------------------------------------------- ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: SSL Ciphers Lyal Collins (Apr 01)