Solved

Insufficient Transport Layer Protection - Weak Protocol

Posted on 2014-03-28
1
1,475 Views
Last Modified: 2014-04-06
Hello, I have a .net application hosted on a shared IIS7 Windows Server 2008 (many applications on that server).
Recently, the webinspect application has revelead the following security issue:

WebInspect has detected support for weak TLS/SSL protocols on server .
The Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol provide a protection mechanism to ensure authenticity, confidentiality and integrity of the data transmitted between a client and web server.

Explanation
Weak TLS/SSL protocols may exhibit any or all of the following properties:
• no protection against man-in-the-middle attacks
• same key used for authentication and encryption
• weak message authentication control
• no protection against TCP connection closing
These properties can allow an attacker to intercept, modify and tamper with sensitive data.

Recommendation
Disable support for weak protocols on the server.
The following protocols supported by the server are weak and should be disabled:
• For IIS, please refer to Microsoft Knowledge Base Articles:
¿ 187498
¿ 245030
¿ Security Guidance for IIS


Can it be fixed at application level, and not at server level, so the other applications are not affected?

Thanks
0
Comment
Question by:danielivanov2
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39963005
this is the case where web server is establishing the ssl handshake while client initiate it, the vulnerability is at web server end and I see no way to do it at appl unless you do not want https.

it is recommended to fix it rather than avoid it else have a proxy to front the web server to establish the "real" ssl on behalf, most of the application delivery controller (adc) or loadbalancer or free proxy (like squid) can do it, of course the ssl likely to terminate at the proxy end..most of all, it is still at server end since the scan is webinspect simulate as client connecting to web server (req for the page hosted).

There is a pdf you can catch on the best practice deployment, it comes in handy (see the 2.2. Use Secure Protocols)
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Block Internet Explorer 3 103
Internet bottleneck? 11 107
Comcast Static IP Addresses 13 39
Can another NTP server respond when connecting to an NTP server? 8 23
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question