Penetration Testing mailing list archives
Re: verify HTTPS 'vulnerabilities'
From: Michael Sierchio <ducatista () camber-thrust net>
Date: Tue, 26 Jul 2005 14:23:50 -0700
In addition to the cogent comments of others, I suggest you assure that you cannot establish an SSL 2.0 connection -- the protocol has vulnerabilities which are exploitable, and most browsers and some servers still support this version. Only TLS 1.0 or SSL 3.0 should be used. The server handshake provides a list of DNs of trusted signers, that's something to look at since it has an impact on client auth. You should determine if a client can downgrade the security to a degree to which the communication cannot be considered adequately secured or private.
Current thread:
- verify HTTPS 'vulnerabilities' Dan Rogers (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Daniel Grzelak (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Omar Herrera (Jul 21)
- Re: verify HTTPS 'vulnerabilities' Thomas Springer (Jul 26)
- Re: verify HTTPS 'vulnerabilities' Michael Sierchio (Jul 26)
- <Possible follow-ups>
- RE: verify HTTPS 'vulnerabilities' Jarmon, Don R (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Jordan Del-Grande (Jul 21)
- RE: verify HTTPS 'vulnerabilities' Carl (Jul 22)
- RE: verify HTTPS 'vulnerabilities' Todd Towles (Jul 26)