[aklug] Re: [NUGA] If you are still running SSLv2, you should disable it ASAP

From: macdonald.org <jim@macdonald.org>
Date: Wed Mar 02 2016 - 10:42:34 AKST

a visual impression of security by obscurity

> On Mar 2, 2016, at 10:15 AM, kris laubenstein <krislaubenstein@gmail.com> wrote:
>
> For what it's worth, I agree with Royce. We all know security through obscurity is no security at all. Also, it feels good to not see any of my domains on a truly "external" scan!
>
> If you're running IIS, a super easy tool for quick cryptography configs is a tool called IIScrypto. Sure, you can do it all easier through CLI, but there's something to be said about being able to hand off some security and crypto config to the help desk.
>
> https://www.nartac.com/Products/IISCrypto <https://www.nartac.com/Products/IISCrypto>
> Kris
>
> On Mar 2, 2016 10:05 AM, "Royce Williams" <royce@tycho.org <mailto:royce@tycho.org>> wrote:
> Of the five off-list responses I've gotten so far, four have been "yikes -- thanks, on it!", and one has expressed concern about posting these scan results publicly. This last is a fair question, and deserves a public answer.
>
> I try to walk the disclosure line responsibly. For example, for the Alaskan HTTPS Qualys results that I cache [1], I limit access to Alaskan IP space, which mitigates this concern for overall Alaskan SSL/TLS health.
>
> But, in my opinion, SSLv2 is an entirely different animal.
>
> Relying solely on obscurity -- and not upgrading/patching/mitigating -- to address issues with SSLv2 (a protocol that has been deprecated *by RFC* for five years! [2] ) was never a good idea, and now officially borders on negligence. Any downstream clients who have heartburn from a public list of SSLv2-exposed hosts need to start asking hard questions from their providers -- about why the boxes in question are so insecure, and have been exposed to the public Internet for so long.
>
> In this modern era of masscan, Shodan, Qualys SSL Labs, and even good old nmap ... anyone can search in a second, or scan in five minutes. And Google's Project Zero [3] now automatically discloses major vulnerabilities after a hard 90-day timer [4].
>
> We must take steps to see the world from the attackers' eyes.
>
> Royce
>
> 1. http://www.techsolvency.com/tls/ <http://www.techsolvency.com/tls/>
> 2. https://tools.ietf.org/html/rfc6176 <https://tools.ietf.org/html/rfc6176>
> 3. https://en.wikipedia.org/wiki/Project_Zero_(Google) <https://en.wikipedia.org/wiki/Project_Zero_(Google)>
> 4. https://code.google.com/p/google-security-research/issues/list?can=1 <https://code.google.com/p/google-security-research/issues/list?can=1>
>
>
> On Tue, Mar 1, 2016 at 9:00 PM, Royce Williams <royce@tycho.org <mailto:royce@tycho.org>> wrote:
> Did a fresh scan against known Alaskan hosts - attached are those that still offer SSLv2 and should be adjusted ASAP. Sorted by TLD, then domain, then host (so that hosts in the same domain are grouped together).
>
> Royce
> ​
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

Received on Wed Mar 2 09:00:22 2016

This archive was generated by hypermail 2.1.8 : Wed Mar 02 2016 - 09:00:22 AKST