[Cryptography] SSLv3 in the wild
John Denker
jsd at av8n.com
Wed Oct 29 15:38:55 EDT 2014
As John Oliver might say:
SSLv3 -- How is that still a thing?
SSLv3 was deprecated and superseded by TLS1.0 in 1999
http://tools.ietf.org/html/rfc2246
I was disappointed to find large SSLv3-only servers existing
in the wild, 15 years post TLS, and two weeks post-POODLE.
I was expecting a few small clients, but I'm not sure I was
expecting large servers.
Here is an example that you may find useful, as a test-target
or perhaps a talking point. Canadian tax dollars at work:
https://flightplanning.navcanada.ca/
Note that there is no "http" access to the navcanada site.
This is relevant because it removes a possible workaround,
and violates the dictum that says if you can't encrypt
properly you shouldn't encrypt at all.
The overall situation is a pain in the neck because it means
I can't just eradicate all traces of SSLv3 and forget about it.
Firefox says:
> Secure Connection Failed
>
> An error occurred during a connection to flightplanning.navcanada.ca.
> Cannot communicate securely with peer: no common encryption
> algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Nmap seems to have an overoptimistic notion of "strong":
nmap --script ssl-enum-ciphers -p 443 flightplanning.navcanada.ca
> Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-29 12:07 MST
> Nmap scan report for flightplanning.navcanada.ca (207.236.24.143)
> Host is up (0.076s latency).
> rDNS record for 207.236.24.143: www.metcambeta.navcanada.ca
> PORT STATE SERVICE
> 443/tcp open https
> | ssl-enum-ciphers:
> | SSLv3:
> | ciphers:
> | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
> | TLS_RSA_WITH_AES_128_CBC_SHA - strong
> | TLS_RSA_WITH_AES_256_CBC_SHA - strong
> | compressors:
> | NULL
> |_ least strength: strong
>
> Nmap done: 1 IP address (1 host up) scanned in 2.82 seconds
More information about the cryptography
mailing list