Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SSL - vulnerable to some attacks #531

Closed
mworrell opened this Issue Mar 11, 2013 · 5 comments

Comments

Projects
None yet
1 participant
Owner

mworrell commented Mar 11, 2013

After running checks with https://www.ssllabs.com/ssltest/index.html we got the following suggestions/vulnerabilites:

Those links describe the solution directions.

The following cypher suits are weak and enabled (56 bits):

  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_DHE_RSA_WITH_DES_CBC_SHA

We should disable those.

@ghost ghost assigned mworrell Mar 11, 2013

Owner

mworrell commented Oct 15, 2014

There is an additional problem that ssl supports SSLv3.
This is now considered insecure and should be disabled.

From the ssllabs.com tests:

Protocols

TLS 1.2 Yes
TLS 1.1  Yes
TLS 1.0  Yes
SSL 3   Yes
SSL 2   No

Weak Cipher Suites

TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK   56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK  56

Protocol Details

Secure Client-Initiated Renegotiation DoS DANGER
https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks

BEAST attack Not mitigated server-side SSL 3: 0x9, TLS 1.0: 0x9
https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat

Owner

mworrell commented Oct 15, 2014

Tracked here: zotonic/mochiweb#5

Owner

mworrell commented Oct 15, 2014

Fixed in Mochiweb

/cc @mmzeeman @arjan

Owner

mworrell commented Oct 15, 2014

We have a separate pull request to merge upstream mochi/mochiweb#140

@mworrell mworrell closed this Oct 15, 2014

Owner

mworrell commented Oct 15, 2014

Not fixing BEAST attack, as it is unclear if the Erlang SSL implementation is vulnerable at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment