Solved

Insufficient Transport Layer Protection - Weak Protocol

Posted on 2014-03-28
1
1,576 Views
Last Modified: 2014-04-06
Hello, I have a .net application hosted on a shared IIS7 Windows Server 2008 (many applications on that server).
Recently, the webinspect application has revelead the following security issue:

WebInspect has detected support for weak TLS/SSL protocols on server .
The Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol provide a protection mechanism to ensure authenticity, confidentiality and integrity of the data transmitted between a client and web server.

Explanation
Weak TLS/SSL protocols may exhibit any or all of the following properties:
• no protection against man-in-the-middle attacks
• same key used for authentication and encryption
• weak message authentication control
• no protection against TCP connection closing
These properties can allow an attacker to intercept, modify and tamper with sensitive data.

Recommendation
Disable support for weak protocols on the server.
The following protocols supported by the server are weak and should be disabled:
• For IIS, please refer to Microsoft Knowledge Base Articles:
¿ 187498
¿ 245030
¿ Security Guidance for IIS


Can it be fixed at application level, and not at server level, so the other applications are not affected?

Thanks
0
Comment
Question by:danielivanov2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39963005
this is the case where web server is establishing the ssl handshake while client initiate it, the vulnerability is at web server end and I see no way to do it at appl unless you do not want https.

it is recommended to fix it rather than avoid it else have a proxy to front the web server to establish the "real" ssl on behalf, most of the application delivery controller (adc) or loadbalancer or free proxy (like squid) can do it, of course the ssl likely to terminate at the proxy end..most of all, it is still at server end since the scan is webinspect simulate as client connecting to web server (req for the page hosted).

There is a pdf you can catch on the best practice deployment, it comes in handy (see the 2.2. Use Secure Protocols)
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
0

Featured Post

Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question