[aklug] Re: [NUGA] Re: If you are still running SSLv2, you should disable it ASAP

From: Royce Williams <royce@tycho.org>
Date: Wed Mar 02 2016 - 10:32:29 AKST

Obscurity is fine -- as a layer. As long as it's not the only layer. :)

And your domains may just be ones that I don't know about yet -- feel free
to submit updates. :)



On Wed, Mar 2, 2016 at 10:15 AM, kris laubenstein <krislaubenstein@gmail.com
> wrote:

> For what it's worth, I agree with Royce. We all know security through
> obscurity is no security at all. Also, it feels good to not see any of my
> domains on a truly "external" scan!
> If you're running IIS, a super easy tool for quick cryptography configs is
> a tool called IIScrypto. Sure, you can do it all easier through CLI, but
> there's something to be said about being able to hand off some security and
> crypto config to the help desk.
> https://www.nartac.com/Products/IISCrypto
> Kris
> On Mar 2, 2016 10:05 AM, "Royce Williams" <royce@tycho.org> wrote:
>> Of the five off-list responses I've gotten so far, four have been "yikes
>> -- thanks, on it!", and one has expressed concern about posting these scan
>> results publicly. This last is a fair question, and deserves a public
>> answer.
>> I try to walk the disclosure line responsibly. For example, for the
>> Alaskan HTTPS Qualys results that I cache [1], I limit access to Alaskan IP
>> space, which mitigates this concern for overall Alaskan SSL/TLS health.
>> But, in my opinion, SSLv2 is an entirely different animal.
>> Relying solely on obscurity -- and not upgrading/patching/mitigating --
>> to address issues with SSLv2 (a protocol that has been deprecated *by RFC*
>> for five years! [2] ) was never a good idea, and now officially borders on
>> negligence. Any downstream clients who have heartburn from a public list
>> of SSLv2-exposed hosts need to start asking hard questions from their
>> providers -- about why the boxes in question are so insecure, and have been
>> exposed to the public Internet for so long.
>> In this modern era of masscan, Shodan, Qualys SSL Labs, and even good old
>> nmap ... anyone can search in a second, or scan in five minutes. And
>> Google's Project Zero [3] now automatically discloses major vulnerabilities
>> after a hard 90-day timer [4].
>> We must take steps to see the world from the attackers' eyes.
>> Royce
>> 1. http://www.techsolvency.com/tls/
>> 2. https://tools.ietf.org/html/rfc6176
>> 3. https://en.wikipedia.org/wiki/Project_Zero_(Google)
>> 4. https://code.google.com/p/google-security-research/issues/list?can=1
>> On Tue, Mar 1, 2016 at 9:00 PM, Royce Williams <royce@tycho.org> wrote:
>>> Did a fresh scan against known Alaskan hosts - attached are those that
>>> still offer SSLv2 and should be adjusted ASAP. Sorted by TLD, then domain,
>>> then host (so that hosts in the same domain are grouped together).
>>> Royce
>>> ‚Äč

To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Mar 2 08:50:41 2016

This archive was generated by hypermail 2.1.8 : Wed Mar 02 2016 - 08:50:41 AKST