[aklug] Re: [NUGA] Re: If you are still running SSLv2, you should disable it ASAP

From: kris laubenstein <krislaubenstein@gmail.com>
Date: Wed Mar 02 2016 - 10:15:55 AKST

For what it's worth, I agree with Royce. We all know security through
obscurity is no security at all. Also, it feels good to not see any of my
domains on a truly "external" scan!

If you're running IIS, a super easy tool for quick cryptography configs is
a tool called IIScrypto. Sure, you can do it all easier through CLI, but
there's something to be said about being able to hand off some security and
crypto config to the help desk.

https://www.nartac.com/Products/IISCrypto

Kris
On Mar 2, 2016 10:05 AM, "Royce Williams" <royce@tycho.org> wrote:

> Of the five off-list responses I've gotten so far, four have been "yikes
> -- thanks, on it!", and one has expressed concern about posting these scan
> results publicly. This last is a fair question, and deserves a public
> answer.
>
> I try to walk the disclosure line responsibly. For example, for the
> Alaskan HTTPS Qualys results that I cache [1], I limit access to Alaskan IP
> space, which mitigates this concern for overall Alaskan SSL/TLS health.
>
> But, in my opinion, SSLv2 is an entirely different animal.
>
> Relying solely on obscurity -- and not upgrading/patching/mitigating -- to
> address issues with SSLv2 (a protocol that has been deprecated *by RFC* for
> five years! [2] ) was never a good idea, and now officially borders on
> negligence. Any downstream clients who have heartburn from a public list
> of SSLv2-exposed hosts need to start asking hard questions from their
> providers -- about why the boxes in question are so insecure, and have been
> exposed to the public Internet for so long.
>
> In this modern era of masscan, Shodan, Qualys SSL Labs, and even good old
> nmap ... anyone can search in a second, or scan in five minutes. And
> Google's Project Zero [3] now automatically discloses major vulnerabilities
> after a hard 90-day timer [4].
>
> We must take steps to see the world from the attackers' eyes.
>
> Royce
>
> 1. http://www.techsolvency.com/tls/
> 2. https://tools.ietf.org/html/rfc6176
> 3. https://en.wikipedia.org/wiki/Project_Zero_(Google)
> 4. https://code.google.com/p/google-security-research/issues/list?can=1
>
>
> On Tue, Mar 1, 2016 at 9:00 PM, Royce Williams <royce@tycho.org> wrote:
>
>> Did a fresh scan against known Alaskan hosts - attached are those that
>> still offer SSLv2 and should be adjusted ASAP. Sorted by TLD, then domain,
>> then host (so that hosts in the same domain are grouped together).
>>
>> Royce
>> ‚Äč
>>
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Mar 2 08:33:36 2016

This archive was generated by hypermail 2.1.8 : Wed Mar 02 2016 - 08:33:36 AKST