Thursday, May 18, 2017

SSLv3 check for various web browsers

If you didn't know it by now,  but  the various SSL versions are now no longer supported from a industry & security practice,  and have been that way for the most part or over the last  few months.

But did you know that many sites are still SSLv3 enabled across the internet?

Even worst, many internal org/enterprises have a host of  management  interfaces that are sill SSLv3 and have not migrated to a updated  code or enforce TLS1.x support with the applications.

This crucial lockdown step have been overlooked by many infomation-security teams.





Also many  webclients are still supporting SSLv3  unless you have actually upgraded the webclient.

Here's  a few screen shots that I put together for testing and validations

IE
 
FF

 
CHROME



I also used a older  Opera  44 version to show you what happens if your not up to date on client versions.


OPERA Did  launch prior to my update  & afterward my  browser just spins, but  with no warning


SAFARI   Version 10.1 (10603.1.30.0.34)



Vivaldi



Now you don't need a   to find a SSLv3 website, just use  the  openssl s_server function for testing

e.g



On a backend note,

"you can  easily find many clients and many sites that are negotiating  sslv3 by just looking at the   ClientHello/Server handshakes messages"


 You can do this with a simple tcp-packet grabber and pcap display filter for SSLv3 protocol.



Ken Felix





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


 



No comments:

Post a Comment