[Cryptography] demonstrating SSLv2 weaknesses

Robin Wood robin at digi.ninja
Sun Jul 2 07:17:29 EDT 2017


On Sun, 2 Jul 2017 at 10:42 Florian Weimer <fw at deneb.enyo.de> wrote:

> * Robin Wood:
>
> > So, are there any practical, walk through, demos attacking SSLv2, v3 or
> any
> > of the other of the crypto that regularly gets written up as weak?
>
> The SSLv2 truncation vulnerability should be practical to demonstrate,
> except it may be tricky to find a HTTPS client which does not
> reimplement it on top of later TLS versions.
>

Do you know any good references to start with for looking at it?

Your comment highlights a second problem I see with writing up crypto based
vulns. Trying to get successful exploitation (from what I can tell) is
likely to be very hard in most real world situations as the clients won't
use the weak stuff. This gets written up as medium and sometimes even high
risk which it sort of is but at the same time isn't due to other
mitigations.

Robin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170702/e977d1fd/attachment.html>


More information about the cryptography mailing list