[Ach] Idea: catching old clients with sni

Adi Kriegisch adi at kriegisch.at
Tue Nov 12 16:51:55 CET 2013


While discussing how to enable WinXP and Java6 in a safe mannor, Pepi and I
concluded that this is simply impossible. This is the list of supported
ciphers in WinXP/IE6 (where IE8 only removes some very weak ciphers):

So another idea came to our mind: all those clients (except for Java7) do
NOT support SNI. So why not set up a default virtual host with weak ciphers
enabled as a catchall page where one may hint his users at upgrading
browsers due to security issues and hosting the real service as a
(non-default) virtual host reachable via sni?!

I think this could be a hint for site operators still caring for users of
very old browsers. What do you think? Is this worth a hint in our paper?

-- Adi

PS: For Java7 this trick will not work as Java7 supports sni and needs the
"strong crypto pack" to enable stronger ciphers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20131112/6d6d6137/attachment.sig>

More information about the Ach mailing list