Insufficient Transport Layer Protection - Weak Protocol
Posted on 2014-03-28
Hello, I have a .net application hosted on a shared IIS7 Windows Server 2008 (many applications on that server).
Recently, the webinspect application has revelead the following security issue:
WebInspect has detected support for weak TLS/SSL protocols on server .
The Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol provide a protection mechanism to ensure authenticity, confidentiality and integrity of the data transmitted between a client and web server.
Weak TLS/SSL protocols may exhibit any or all of the following properties:
• no protection against man-in-the-middle attacks
• same key used for authentication and encryption
• weak message authentication control
• no protection against TCP connection closing
These properties can allow an attacker to intercept, modify and tamper with sensitive data.
Disable support for weak protocols on the server.
The following protocols supported by the server are weak and should be disabled:
• For IIS, please refer to Microsoft Knowledge Base Articles:
¿ Security Guidance for IIS
Can it be fixed at application level, and not at server level, so the other applications are not affected?