As a webserver administrator/systems administrator, you must ensure that your webserver is using strong ciphers and protocols. Your webserver can easily be flagged for vulnerabilities if you use weak ciphers and protocols. Your webserver would then be not compliant with your organization's security policies and could be vulnerable to network security hacks.
You may receive "Web Server Supports Weak SSL Encryption Certificates" message on your network security vulnerability report if you are using weak ciphers or protocols. Enforcing the 128-bit SSL keys might not be possible in all situations because keys distributed by some vendors use 40-bit. When configuring SSL communication, the recommendation is to use SSLv3 since it fixes most of the flaws found in SSLv2. There is no known attack for breaking SSLv3 security.
There are lot of other vulnerabilities associated with SSLv2 and TLS 1.0, TLS 1.1 protocols. If you search other places, you would find tons of ways to disable vulnerable protocols in Windows registry editor etc. I recently came across "IIS Crypto" software which helps disable weak ciphers and protocols through a GUI interface.
To enable/disable the protocols/ciphers, click the "PCI" or "FIPS 140-2" button and then manually check/uncheck the protocols and ciphers that you want to enable. A restart of the Operating System is required before the settings can come into effect.
You may receive "Web Server Supports Weak SSL Encryption Certificates" message on your network security vulnerability report if you are using weak ciphers or protocols. Enforcing the 128-bit SSL keys might not be possible in all situations because keys distributed by some vendors use 40-bit. When configuring SSL communication, the recommendation is to use SSLv3 since it fixes most of the flaws found in SSLv2. There is no known attack for breaking SSLv3 security.
There are lot of other vulnerabilities associated with SSLv2 and TLS 1.0, TLS 1.1 protocols. If you search other places, you would find tons of ways to disable vulnerable protocols in Windows registry editor etc. I recently came across "IIS Crypto" software which helps disable weak ciphers and protocols through a GUI interface.
To enable/disable the protocols/ciphers, click the "PCI" or "FIPS 140-2" button and then manually check/uncheck the protocols and ciphers that you want to enable. A restart of the Operating System is required before the settings can come into effect.
No comments:
Post a Comment