Disabling old SSL Protocols/Enabling new TLS Protocols

Some customers may have been contacted by Paypal with a notice that they are currently discontinuing service to their old ssl protocols. Many are not aware what this means and how it impacts their organization...


Recently Moneris has assessed the SSLv3 “Poodle” Vulnerability (CVE-2014-3566), and has determined the best course of action is to protect their clients by disabling this service all together. What the POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.[1][2][3]. The man in the middle is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. This attack allows the attacker to eaves drop and find sensitive information such as credit card numbers.


To protect yourself from this attack we’ve created a powershell script to disable all the old technologies and ensure the proper encryption is set.


To test your site and see how vulnerable you are go to: https://www.ssllabs.com/ssltest/analyze.html and type in your site.

 

We've developed a very useful script (Powershell) that will make the necessary security changes in one step.  This script does the following:

# Disable Multi-Protocol Unified Hello

# Disable PCT 1.0

# Disable SSL 2.0 (PCI Compliance)

# Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection

# Add and Enable TLS 1.1 for client and server SCHANNEL communications

# Add and Enable TLS 1.2 for client and server SCHANNEL communications

# Re-create the ciphers key.

# Disable insecure/weak ciphers. 'DES 56/56',   'RC2 128/128',   'RC2 40/128',   'RC2 56/128',   'RC4 40/128',   'RC4 56/128',  'RC4 64/128',  'RC4 128/128'

# Enable new secure ciphers. RC4 and 3DES

# Set hashes configuration. Force md5 and sha

# Set KeyExchangeAlgorithms configuration.

# Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).

Key note that if you disable ssl 3 windows xp users on ie 6/7 will no longer be able to access your site but it will prevent your site from being attacked.

If you would like more information about this script, please contact info@burstingsilver.com.  

 

blog comments powered by Disqus