[Ach] Updated Mozilla TLS guide
Adi Kriegisch
adi at kriegisch.at
Wed Oct 15 16:53:33 CEST 2014
Hey!
> I used the same tool about a week ago on bettercrypto.org:443. I mailed you
> guys to update to our current cipherstring (which also forbids SEED as well
> as the anon-DH ciphers old openssl versions might negotiate) :)
This is from the fallback host. https://bettercrypto.org itself does not
support SEED and neither anon-DH.
While I agree that this fallback host may be removed as of today because it
does not make sense anymore to provide support for IE 6 or Java 6, the
cipherscan tool does not use the '-servername' commandline switch that
would enable SNI support and therefor detects the wrong cipher settings.
As a hint you may take the different DH param size for the weak ciphers
(DH,1024bits).
So in theory './cipherscan -servername bettercrypto.org bettercrypto.org:443'
should fix this, but it doesn't. Interesting.
-- Adi
====
> On Wed, Oct 15, 2014 at 4:15 PM, Adi Kriegisch <adi at kriegisch.at> wrote:
>
> > Hey!
> >
> > > The
> > > goal is to make it easier for admins to reach the intermediate level,
> > > without asking a security expert to analyze their configuration.
> > > It's
> > > very opinionated, and I don't expect everyone to agree with its output.
> > > But it serves Mozilla's needs.
> > Thank you for your great tool!
> >
> > > $ ./cipherscan bettercrypto.org
> > [...]
> > > $ ./analyze.py -t bettercrypto.org
> > > bettercrypto.org:443 has bad ssl/tls
> > [...]
> > > * disable TLSv1
> > > * disable SSLv3
> > I think this can be easily explained: we use a catchall page for non-SNI
> > enabled browsers that allows older ciphers. Probably time to disable this
> > page and remove that workaround from our paper. Non-SNI aware stuff like
> > IE6 or Java 6 should not be used anyways.
> >
> > -- Adi
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (GNU/Linux)
> >
> > iQIVAwUBVD6BfXREfA6phVy/AQiD2xAAg4Tb49LZmDoHGCQxp2CZDIz325nKcFPx
> > o+ABsEdANqVnhdoHxb8NbQdu0a5YbeMcu4g3kgt4bzQryXR9WnJIOAUYHVmOz/1H
> > hkne/Xz/2RISM70kJov3n46UlfxM2dUAJRQopcqAPPixgU3jtpWAhu/CK3jwTegB
> > T0Rp/PY2SSKeLEnMSJnXvIoiVq0iCg+vt1/Tjzjkl0pPd2bV2xxqgh2S089T0Tcf
> > VD54c92BRqDIMiPqP81fgmeNQHDfa687uiCJyJZVzp84TceyZKHTSuH25B9pbPxh
> > U0BvBuEKu4hudC/qtcKLUjAF/ltjpNdwB6zbdrbrJhdS5Zc4E2AMtApWHeHSoTgs
> > rJQfTj1oJpwpxoF5cFYJVAELTVULTG07vJHpIfXWKXTcgFryHXCquj2spWBb3I75
> > ap4QiktlAL48geGre6XNPhQOCaxItX82rz3tn+b+PcaFftGjUof+Z80f9oC1qOgZ
> > trh0rH1XFQSDOPsfeQGXHCD13c3aNGDNjA1IxtNsa0/0FMs0lUjqrSwy+TOARaY7
> > Efa/UQcPh5lWmSCtWebFUIJ9No9aIAWFVu6/tF2iPu9enk4ge2u9PHzFZjBpo3Nm
> > kcuDG+Vm3wajeytu2uykd7NwHVPVYNKV7ymXTFs+rwWs68OqHbN1xiflQ70SNmBT
> > UiB7jroUdiQ=
> > =3Yy2
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Ach mailing list
> > Ach at lists.cert.at
> > http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> >
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141015/e221d8d8/attachment.sig>
More information about the Ach
mailing list