Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Insufficient Transport Layer Protection - Weak Protocol

Posted on 2014-03-28
1
Medium Priority
?
1,719 Views
Last Modified: 2014-04-06
Hello, I have a .net application hosted on a shared IIS7 Windows Server 2008 (many applications on that server).
Recently, the webinspect application has revelead the following security issue:

WebInspect has detected support for weak TLS/SSL protocols on server .
The Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol provide a protection mechanism to ensure authenticity, confidentiality and integrity of the data transmitted between a client and web server.

Explanation
Weak TLS/SSL protocols may exhibit any or all of the following properties:
• no protection against man-in-the-middle attacks
• same key used for authentication and encryption
• weak message authentication control
• no protection against TCP connection closing
These properties can allow an attacker to intercept, modify and tamper with sensitive data.

Recommendation
Disable support for weak protocols on the server.
The following protocols supported by the server are weak and should be disabled:
• For IIS, please refer to Microsoft Knowledge Base Articles:
¿ 187498
¿ 245030
¿ Security Guidance for IIS


Can it be fixed at application level, and not at server level, so the other applications are not affected?

Thanks
0
Comment
Question by:danielivanov2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 1500 total points
ID: 39963005
this is the case where web server is establishing the ssl handshake while client initiate it, the vulnerability is at web server end and I see no way to do it at appl unless you do not want https.

it is recommended to fix it rather than avoid it else have a proxy to front the web server to establish the "real" ssl on behalf, most of the application delivery controller (adc) or loadbalancer or free proxy (like squid) can do it, of course the ssl likely to terminate at the proxy end..most of all, it is still at server end since the scan is webinspect simulate as client connecting to web server (req for the page hosted).

There is a pdf you can catch on the best practice deployment, it comes in handy (see the 2.2. Use Secure Protocols)
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question