Idea: check for old-style SSL-handshakes
14 views
Skip to first unread message
Ben Companjen
Dec 2, 2014, 6:11:58 PM12/2/14
to perspect...@googlegroups.com
Hi,
After finding out about CVE-2009-3555 [1], I changed my Firefox
settings to not allow connections to HTTPS-websites that allow
old-style SSL-handshakes. That has had some interesting results - last
week I asked my bank (the largest in the Netherlands) to upgrade their
web server. Facebook, Microsoft, bit.ly and many others have this
problem in some way or another.
Could Perspectives be a project to also check aspects of TLS usage
other than certificates, such as this?
Other aspects could be use of DNSSEC and TLSA, allowing SSLv3
connections etc., but I wouldn't know if Perspectives is the best
project to take on any of this, let alone what to prioritise.
Just a thought...
Groeten van Ben
[1]: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
After finding out about CVE-2009-3555 [1], I changed my Firefox
settings to not allow connections to HTTPS-websites that allow
old-style SSL-handshakes. That has had some interesting results - last
week I asked my bank (the largest in the Netherlands) to upgrade their
web server. Facebook, Microsoft, bit.ly and many others have this
problem in some way or another.
Could Perspectives be a project to also check aspects of TLS usage
other than certificates, such as this?
Other aspects could be use of DNSSEC and TLSA, allowing SSLv3
connections etc., but I wouldn't know if Perspectives is the best
project to take on any of this, let alone what to prioritise.
Just a thought...
Groeten van Ben
[1]: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
Carl Antuar
Dec 2, 2014, 11:25:07 PM12/2/14
to perspect...@googlegroups.com
This already exists in the form of Qualys SSL Labs' SSL Checker: https://www.ssllabs.com/ssltest/
Reply all
Reply to author
Forward
0 new messages