Re: How to check for SSL1 ?

From: Dean H. Saxe (dean@fullfrontalnerdity.com)
Date: Fri Sep 30 2005 - 08:38:26 EDT

• Next message: Michael Gargiullo: "RE: Using smbbf"
• Previous message: Jarmon, Don R: "RE: Vulnerability assessment for small business"
• In reply to: Thomas Springer: "Re: How to check for SSL1 ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Actually, SSLDigger does check the protocol. In addition it checks
for the key exchange mechanism (e.g. Diffie-Helman or RSA), the
cipher suite and bit length of the keys (e.g. AES 128 bit) and the
integrity protection algorithm (e.g. SHA-256). That should answer
all of your needs. The one thing it won't do is tell you much about
Server Gated Cryptography beyond that its present on the server and
will mitigate more vulnerable protocols such as 40 bit RC4 encryption
by allowing the browser to negotiate stronger encryption mechanisms
than are reported by the server as being available.

Check it out at foundstone.com under the free tools section and read
the associated whitepaper which discusses the tool, the protocols,
cipher suites, server gated cryptography, etc.

(Disclaimer: I'm a Foundstone consultant, I use the tool regularly
for engagements.)

-dhs

Dean H. Saxe, CEH
dean@fullfrontalnerdity.com
"I have always strenuously supported the right of every man to his
own opinion, however different that opinion might be to mine. He who
denies another this right makes a slave of himself to his present
opinion, because he precludes himself the right of changing it."
     -- Thomas Paine, 1783

On Sep 29, 2005, at 5:08 AM, Thomas Springer wrote:

> Hi Sahir,
>
>
>> Foundstone has a free tool called SSL Digger which basically does
>> what
>> you're looking for -- identify the cipher suites supported by a
>> particular
>>
>
> SSLDigger only checks available CIPHERS, not PROTOCOLS, nor will it
> show you the preferred cipher the server presents first!
> (Especially busy servers tend to present "cheap" ciphers first to
> minimize load on server or SSL-proxy, even when they would support
> stronger ciphers.)
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Michael Gargiullo: "RE: Using smbbf"
• Previous message: Jarmon, Don R: "RE: Vulnerability assessment for small business"
• In reply to: Thomas Springer: "Re: How to check for SSL1 ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:01 EDT