Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

TLS/SSL vulnerabilities – the server is often the weakest point

  • 27-05-2015 10:53am
    #1
    Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭


    Steve Gibson did a show on TLS vulnerabilities, covering secure browsing, VPNs etc. He talks about Logjam too. 80% of servers support downgrade to 512 bit keys which makes encrypted traffic to/from them easy to decrypt. 1024 bit keys are widely believed to be crackable at this stage.

    Basically a chain is as strong as its weakest link, and if that includes Diffie-Hellman export grade DHE_EXPORT ciphers…..!

    17.97% of HTTPS domains allow 1024-bit Diffie-Hellman which may be subject to passive eavesdropping. 66% of IKEv1 – ie IP Sec VPNs ditto.

    “What should I do?

    If you run a server…

    If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. We have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.

    If you use a browser…

    Make sure you have the most recent version of your browser installed, and check for updates frequently. Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack.

    If you’re a sysadmin or developer …

    Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.”

    Source: https://weakdh.org

    Video of last night’s Security Now: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/sn/sn0509/sn0509_h264m_1280x720_1872.mp4

    Audio only: http://www.podtrac.com/pts/redirect.mp3/twit.cachefly.net/audio/sn/sn0509/sn0509.mp3


Comments

Advertisement