WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

SSL Ciphers

From: pagvac <unknown.pentester () gmail com>
Date: Thu, 30 Mar 2006 14:46:48 +0100
I was wondering if any of you can give me some decent links on the
topic of SSL ciphers and different strengths that can be supported by
web servers.

Basically I'm interested in the following:

- the so called "null ciphers" (which provide *no* encryption at all).
These are mainly NULL-MD5 and NULL-SHA. How often are these found to
be supported by web servers?
- client side technologies that allow you to *downgrade* the cipher
used by a web browser (Active X?)
- hardening guidelines that illustrate how to disable weak ciphers
from popular web servers such as Apache and IIS

I personally found useful the white paper by Foundstone that comes
with their "SSL Digger" tool which is used to find out the different
ciphers supported by a web server.


Related links:

http://www.openssl.org/docs/apps/ciphers.html
http://www.foundstone.com/resources/termsofuse.htm?file=ssldigger.zip

--
pagvac
[http://ikwt.com]

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: