[Cryptography] demonstrating SSLv2 weaknesses
Robin Wood
robin at digi.ninja
Sat Jul 1 15:23:35 EDT 2017
Occasionally when I'm doing security tests for clients one will pick me up
on a reported vulnerability and ask me to demonstrate it. For things like
SQLi or MS17-010 it is fine as they are fairly easy to demonstrate but I
was thinking about the crypto weaknesses.
I regularly write up SSLv2/v3/RC4 etc as weak but if I were challenged to
demonstrate why I couldn't. A friend said it wasn't worth the hassle of
demonstrating as I could just point them at all the white papers but I know
some people who won't be convinced unless they see something happen,
whether that is a message decrypted or traffic modified.
For smaller firms at least, the argument being that if I, as a professional
tester who is paid to do this type of thing, can't do it, then is it worth
worrying about it as an issue? Sure, a nation state can do it and
researchers in a lab with lots of resources can, but their adversaries are
more likely to be script kiddies or, at worst, a customer with a grudge.
So, are there any practical, walk through, demos attacking SSLv2, v3 or any
of the other of the crypto that regularly gets written up as weak? I'd love
to have one in my bag that I could get out if I ever were challenged.
Robin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170701/4094aa70/attachment.html>
More information about the cryptography
mailing list