Skip to content

Publish Latest 2025-09-22 #459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 22, 2025
Merged

Publish Latest 2025-09-22 #459

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions ...9-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,14 +38,14 @@ There are a large number of protocol versions, ciphers, and extensions supported
- [TLSv1.0 (BEAST)](https://www.acunetix.com/blog/web-security-zone/what-is-beast-attack/)
- [TLSv1.1 (Deprecated by RFC 8996)](https://tools.ietf.org/html/rfc8996)
- [EXPORT ciphers suites (FREAK)](https://en.wikipedia.org/wiki/FREAK)
- [NULL ciphers](https://www.rapid7.com/db/vulnerabilities/ssl-null-ciphers) ([they only provide authentication](https://tools.ietf.org/html/rfc4785)).
- NULL ciphers ([they only provide authentication](https://tools.ietf.org/html/rfc4785)).
- Anonymous ciphers (these may be supported on SMTP servers, as discussed in [RFC 7672](https://tools.ietf.org/html/rfc7672#section-8.2))
- [RC4 ciphers (NOMORE)](https://www.rc4nomore.com/)
- CBC mode ciphers (BEAST, [Lucky 13](https://en.wikipedia.org/wiki/Lucky_Thirteen_attack))
- [TLS compression (CRIME)](https://en.wikipedia.org/wiki/CRIME)
- [Weak DHE keys (LOGJAM)](https://weakdh.org/)

The [Mozilla Server Side TLS Guide](https://wiki.mozilla.org/Security/Server_Side_TLS) details the protocols and ciphers that are currently recommended.
The [Mozilla Server-Side TLS Guide](https://wiki.mozilla.org/Security/Server_Side_TLS) details the protocols and ciphers that are currently recommended.

#### Exploitability

Expand Down Expand Up @@ -107,7 +107,7 @@ Many sites will accept connections over unencrypted HTTP, and then immediately r

However, if an attacker is able to intercept this initial request, they could redirect the user to a malicious site, or use a tool such as [sslstrip](https://github.com/moxie0/sslstrip) to intercept subsequent requests.

In order to defend against this type of attack, the site must use be added to the [preload list](https://hstspreload.org).
In order to defend against this type of attack, the site must be added to the [preload list](https://hstspreload.org).

## Automated Testing

Expand All @@ -131,4 +131,4 @@ It can also be possible to performed limited testing using a web browser, as mod
## References

- [OWASP Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)
- [Mozilla Server Side TLS Guide](https://wiki.mozilla.org/Security/Server_Side_TLS)
- [Mozilla Server-Side TLS Guide](https://wiki.mozilla.org/Security/Server_Side_TLS)