Penetration Testing mailing list archives

Re: verify HTTPS 'vulnerabilities'

From: Michael Sierchio <ducatista () camber-thrust net>
Date: Tue, 26 Jul 2005 14:23:50 -0700


In addition to the cogent comments of others, I suggest you
assure that you cannot establish an SSL 2.0 connection -- the
protocol has vulnerabilities which are exploitable, and most
browsers and some servers still support this version.  Only
TLS 1.0 or SSL 3.0 should be used.

The server handshake provides a list of DNs of trusted
signers, that's something to look at since it has an
impact on client auth.

You should determine if a client can downgrade the security
to a degree to which the communication cannot be considered
adequately secured or private.

Current thread:

verify HTTPS 'vulnerabilities' Dan Rogers (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Daniel Grzelak (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Omar Herrera (Jul 21)
- Re: verify HTTPS 'vulnerabilities' Thomas Springer (Jul 26)
- Re: verify HTTPS 'vulnerabilities' Michael Sierchio (Jul 26)
- <Possible follow-ups>
- RE: verify HTTPS 'vulnerabilities' Jarmon, Don R (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Jordan Del-Grande (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Carl (Jul 22)
- RE: verify HTTPS 'vulnerabilities' Todd Towles (Jul 26)