?
Solved

Insufficient Transport Layer Protection - Weak Protocol

Posted on 2014-03-28
1
Medium Priority
?
1,652 Views
Last Modified: 2014-04-06
Hello, I have a .net application hosted on a shared IIS7 Windows Server 2008 (many applications on that server).
Recently, the webinspect application has revelead the following security issue:

WebInspect has detected support for weak TLS/SSL protocols on server .
The Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol provide a protection mechanism to ensure authenticity, confidentiality and integrity of the data transmitted between a client and web server.

Explanation
Weak TLS/SSL protocols may exhibit any or all of the following properties:
• no protection against man-in-the-middle attacks
• same key used for authentication and encryption
• weak message authentication control
• no protection against TCP connection closing
These properties can allow an attacker to intercept, modify and tamper with sensitive data.

Recommendation
Disable support for weak protocols on the server.
The following protocols supported by the server are weak and should be disabled:
• For IIS, please refer to Microsoft Knowledge Base Articles:
¿ 187498
¿ 245030
¿ Security Guidance for IIS


Can it be fixed at application level, and not at server level, so the other applications are not affected?

Thanks
0
Comment
Question by:danielivanov2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 39963005
this is the case where web server is establishing the ssl handshake while client initiate it, the vulnerability is at web server end and I see no way to do it at appl unless you do not want https.

it is recommended to fix it rather than avoid it else have a proxy to front the web server to establish the "real" ssl on behalf, most of the application delivery controller (adc) or loadbalancer or free proxy (like squid) can do it, of course the ssl likely to terminate at the proxy end..most of all, it is still at server end since the scan is webinspect simulate as client connecting to web server (req for the page hosted).

There is a pdf you can catch on the best practice deployment, it comes in handy (see the 2.2. Use Secure Protocols)
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question