But did you know that many sites are still SSLv3 enabled across the internet?
Even worst, many internal org/enterprises have a host of management interfaces that are sill SSLv3 and have not migrated to a updated code or enforce TLS1.x support with the applications.
This crucial lockdown step have been overlooked by many infomation-security teams.
Also many webclients are still supporting SSLv3 unless you have actually upgraded the webclient.
Here's a few screen shots that I put together for testing and validations
IE
FF
CHROME
I also used a older Opera 44 version to show you what happens if your not up to date on client versions.
OPERA Did launch prior to my update & afterward my browser just spins, but with no warning
SAFARI Version 10.1 (10603.1.30.0.34)
Vivaldi
Now you don't need a to find a SSLv3 website, just use the openssl s_server function for testing
e.g
On a backend note,
"you can easily find many clients and many sites that are negotiating sslv3 by just looking at the ClientHello/Server handshakes messages"
You can do this with a simple tcp-packet grabber and pcap display filter for SSLv3 protocol.
Ken Felix
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment