Re: How to check for SSL1 ?

• Previous message: Josh Perrymon: "RE: Scripts found on web server"
• In reply to: Sahir Hidayatullah: "Re: How to check for SSL1 ?"
• Next in thread: Michael Sierchio: "Re: How to check for SSL1 ?"
• Reply: Michael Sierchio: "Re: How to check for SSL1 ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Sep 2005 11:08:12 +0200
To: pen-test@securityfocus.com

Hi Sahir,

> Foundstone has a free tool called SSL Digger which basically does what
> you're looking for -- identify the cipher suites supported by a particular

I find this one nice, but I want to dig a bit deeper.

Let me explain (correct me if im wrong!)

To get an encrypted connection, you have to choose one of different
PROTOCOLS for establishing your ssl-connection:

- ssl v1 (ancient, considered vulnerable to mitm-attacks)
- ssl v2 (old, considered vulnerable to mitm-attacks, but still
supported by some servers)
- ssl v3 (considered secure, but seldom used)
- tls 1.0 (typically preferred these days)
- tls 1.1 (rfc-draft, supported only by gnutls (server) and Opera (client))

The connection-type is determined by the client. Almost all clients
(e.g. Browsers) try to establish a TLS1.0-Connection first. If TLS1.0 is
not available, they will fall back to SSLv3 (like they do at
https://www.verisign.com) or something other the client supports.

On top of this PROTOCOL the server offers a "preferred CIPHER" to be
used. If the client (e.g. Browser) agrees, this one is used, otherwise
the server will present other supported ciphers until the client agrees
to use one of them.
Almost all clients support the strong AES256-cipher these days.

SSLDigger only checks available CIPHERS, not PROTOCOLS, nor will it show
you the preferred cipher the server presents first!
(Especially busy servers tend to present "cheap" ciphers first to
minimize load on server or SSL-proxy, even when they would support
stronger ciphers.)

Have a look at the ssl-check at http://serversniff.net/sslcheck.php to
see things at work.

What i wanted to check is, wether a server still offers the
sslv1-Protocol. I also think to remember that there were other SSL-Like
protocols years ago - any hints on these?

tom

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Previous message: Josh Perrymon: "RE: Scripts found on web server"
• In reply to: Sahir Hidayatullah: "Re: How to check for SSL1 ?"
• Next in thread: Michael Sierchio: "Re: How to check for SSL1 ?"
• Reply: Michael Sierchio: "Re: How to check for SSL1 ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]