WebApp Sec mailing list archives
SSL Ciphers
From: pagvac <unknown.pentester () gmail com>
Date: Thu, 30 Mar 2006 14:46:48 +0100
I was wondering if any of you can give me some decent links on the topic of SSL ciphers and different strengths that can be supported by web servers. Basically I'm interested in the following: - the so called "null ciphers" (which provide *no* encryption at all). These are mainly NULL-MD5 and NULL-SHA. How often are these found to be supported by web servers? - client side technologies that allow you to *downgrade* the cipher used by a web browser (Active X?) - hardening guidelines that illustrate how to disable weak ciphers from popular web servers such as Apache and IIS I personally found useful the white paper by Foundstone that comes with their "SSL Digger" tool which is used to find out the different ciphers supported by a web server. Related links: http://www.openssl.org/docs/apps/ciphers.html http://www.foundstone.com/resources/termsofuse.htm?file=ssldigger.zip -- pagvac [http://ikwt.com] ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- SSL Ciphers pagvac (Mar 30)
- <Possible follow-ups>
- RE: SSL Ciphers Dimitris Petropoulos (Mar 31)