Of the five off-list responses I've gotten so far, four have been "yikes --
thanks, on it!", and one has expressed concern about posting these scan
results publicly. This last is a fair question, and deserves a public
answer.
I try to walk the disclosure line responsibly. For example, for the
Alaskan HTTPS Qualys results that I cache [1], I limit access to Alaskan IP
space, which mitigates this concern for overall Alaskan SSL/TLS health.
But, in my opinion, SSLv2 is an entirely different animal.
Relying solely on obscurity -- and not upgrading/patching/mitigating -- to
address issues with SSLv2 (a protocol that has been deprecated *by RFC* for
five years! [2] ) was never a good idea, and now officially borders on
negligence. Any downstream clients who have heartburn from a public list
of SSLv2-exposed hosts need to start asking hard questions from their
providers -- about why the boxes in question are so insecure, and have been
exposed to the public Internet for so long.
In this modern era of masscan, Shodan, Qualys SSL Labs, and even good old
nmap ... anyone can search in a second, or scan in five minutes. And
Google's Project Zero [3] now automatically discloses major vulnerabilities
after a hard 90-day timer [4].
We must take steps to see the world from the attackers' eyes.
Royce
1. http://www.techsolvency.com/tls/
2. https://tools.ietf.org/html/rfc6176
3. https://en.wikipedia.org/wiki/Project_Zero_(Google)
4. https://code.google.com/p/google-security-research/issues/list?can=1
On Tue, Mar 1, 2016 at 9:00 PM, Royce Williams <royce@tycho.org> wrote:
> Did a fresh scan against known Alaskan hosts - attached are those that
> still offer SSLv2 and should be adjusted ASAP. Sorted by TLD, then domain,
> then host (so that hosts in the same domain are grouped together).
>
> Royce
>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Mar 2 08:22:56 2016
This archive was generated by hypermail 2.1.8 : Wed Mar 02 2016 - 08:22:56 AKST