Friday, 27 April 2012

TeamMentor.net vulnerable to BEAST and SSL 2.0, now what?

Ok, so from https://www.ssllabs.com/ssltest/analyze.html?d=teammentor.net&source=tim we can see that https://teammentor.net gets a B rating because it is vulnerable to the 'BEAST Attack' (whoohh that sounds scary :) )

The link on that page points to Mitigating the BEAST attack on TLS which provides some background info on the problem, but it doesn't answer the questions I have at the moment, which are:

  • What is the risk impact of this vulnerability on a site like http://teammentor.net?
  • What are the exploit scenarios?
  • Is there any mitigation (or not) by the use of IIS 7.0?
  • How do I fix this in IIS 7.0?
  • Can anything been done at the Application Layer?
In a way this is where security fails. Instead of giving me a solution, SSL Labs (which rocks btw) is giving me a problem.

Another good example of 'Security as TAX' vs 'Security as Enabler'.

We are going to have to spend resources to understand, fix, test, validate this problem (i.e. pay a TAX) with very little return

The other issue to solve is to remove SSL 2.0 support is IIS7. As per this post How to Disable SSL 2.0 in IIS 7 , it looks like it needs to be done by changing the registry. Is that the only way to do this?

Also asked this question on:

Post a Comment