Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSLv2 on email server

From: robert () outpost24 com
Date: 4 Jun 2007 08:35:45 -0000
David M. Zendzian wrote:

Anyone know if the SSL issues with v2 are exploitable with email servers?


The weaknesses known for SSLv2 are independent of the service behind it.

SSLv2 weaknesses are talked about here:
http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm

_3.1.4.1 SSLv2 vs. SSLv3/TLS_
The first public version of SSL, version 2, suffered from a number of security flaws, which have been fixed in SSLv3. 
As browsers nowadays still support SSLv2, and as it is still in use in some systems, we briefly sum up its security 
problems:

· the same cryptographic keys are used for message authentication and for encryption, which means that in export mode 
also the MACs are unnecessarily weakened (due to U.S. export restrictions, the symmetric key length that could be used 
in Netscape and Internet Explorer was limited to 40 bits. If the restricted data encryption key is also used for 
message authentication, the security of the MACs is also crippled, although this was not required by the U.S. export 
restrictions);

· SSLv2 has a weak MAC construction and relies solely on the MD5 hash function;

· SSLv2 does not have any protection for the handshake, so that a person-in-the-middle attack cannot be detected;

· finally, a truncation attack is possible, as SSLv2 simply uses the TCP connection close to indicate the end of data, 
so that the attacker can simply forge the TCP FINs and the recipient cannot tell that it is not a legitimate end of 
data (SSLv3 fixes this problem by having an explicit closure alert).

Robert

--
Robert E. Lee
Chief Security Officer
http://www.outpost24.com

phone: +46-455-61-2320
fax : +46-455-1-3960
email: robert () outpost24 com 

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: