Protecting against Security Vulnerabilities in SSL Version 2
|Category:||Security Best Practices|
|Vulnerable Systems:||Any application, client or server, using SSL version 2 encryption|
|Source:||SmartDefense Research Center|
SSL (Secure Sockets Layer) is a protocol developed by Netscape for secure (encrypted and possibly authenticated) data transmission over the Internet. It is mainly used by Secure-HTTP (HTTPS), in order to protect the privacy and provide authentication for HTTP transactions.Version 2 of the protocol, which was introduced in 1994, is still supported by all browsers and Web servers, although it suffers from a number of severe security flaws. SSL version 3 (published 1996) and its successor, TLS - Transport Layer Security version 1.0 (published 1999) fixed those flaws and their use is highly recommended.
SSLv2 contains some security flaws in its design, making it susceptible to attacks allowing an attack to disrupt or eavesdrop on the private communication offered by SSL. These include:
SSLv2 lacks protection in the handshake process so a man-in-the-middle (MITM) attack cannot be detected. A MITM attack allows an attacker to situate himself between the client and the server and pretend to be the client as far as the server is concerned, and the server as far as the client is concerned.
SSLv2 used the TCP connection closure to signal the end of data. An attacker could forge this signal to force a recipient to end data transmission.
Users of VPN-1 NG with Application Intelligence R55, R55W and VPN-1 NGX R60 who have applied the solution outlined below will identify the following SmartView Tracker log entries:
Users of VPN-1 NG with Application Intelligence R55 & R55W and users of VPN-1 NGX R60 can force the use of SSLv3 in HTTPS transaction by placing the service ssl_v3 in the Firewall rule base and install policy on all modules.
|Industry Reference:||OpenSSL Security Advisory|