Haven't blogged in a while due to studying for the CISSP certification and working on other fun projects. Amazon EC2 instances are enormous fun to play with, and free to get started with, wish i had this type of stuff when i was in uni.
Came across this great story on RC4 and TLS:
Attack of the week: RC4 is kind of broken in TLS
Cipher suites in the TLS/SSL implementations have been an interesting area of late with a number of attacks being published in the last few months.
A fun thing to do is to scan a website using the TLSSLED shell script and see what cipher suites it supports.
Here's the output for google.com:
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits ECDHE-RSA-RC4-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
The interesting listing in this case is "RC4-MD5", considering the MD5 is considered broken and should have been retired by now.
Compared this to api.square.com:443:
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA
Which is in line with FIPS 140-2 Annex A.
No comments:
Post a Comment