[lug] apache config, TLSv1 versus SSLv2?
Ed Moxley
ed at moxleynet.com
Sun Sep 4 16:36:48 MDT 2005
On Sun, 2005-09-04 at 14:59, David L. Anselmi wrote:
> David L. Anselmi wrote:
> > Lee Woodworth wrote:
> > [...]
> >
> >> TLS 1 is essentially SSL 3. TLS is a 'standard' while SSL is a
> >> netscape specification. SSL 2 has security issues so I wouldn't
> >> allow it for the server or for your browser.
> >
> > Is that a vulnerability in the SSL v2 protocol, or in some
> > implementations of it? Do you have any details?
>
> Never mind. There are protocol vulnerabilities (and not that easy to
> find a concise description of them). But some are here:
>
> http://www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS8a/SSLTLS.html
>
> (and some of what's there applies to TLS).
>
> Dave
As the final line in "Conclusions" says in the link you reference above:
> What is for sure, is that the cracking of SSL must almost certainly
> take place at the time of the handshake, since this is the vulnerable
> part where unencrypted communication takes place.
Seems pretty concise and googling for SSL v2 exploits/vulnerabilities
appears to validate that statement.
More information about the LUG
mailing list