What are the risks linked to obsolete protocols?
As everything linked to the IT world, aging protocols cause numerous problems regarding security matters. They are therefore updated regularly and the replaced to counter hackers looking for data to steel.
TLS 1.2 is now mandatory since March 2020
From March 2020, the Web servers will have to serve their content using at least the TLS1.2 protocol. You will find more information on this link: TLS1.2 mandatory since March 2020
SSLv2 and SSLv3
SSLv2 has been created by Netscape in 1995 and SSLv3 by the same company in 1996. From the start, SSLv2 showed weaknesses and has quickly been replaced by SSLv3. TLS is now, and since several years, the standard.
Those protocols, too often used, are vulnerable to Man In The Middle (MITM) attacks allowing a third part to intercept, modify and decypher transferred data.
We advise our customers to disable these kind of protocols (see links below). Once done, check your sites with CopiBot.
Alert on Chrome
Since the version 39 of Chromium, a yello triangle appears on the padlock when the browsers spots the use of an outdated protocol such as SSLv3 or SSLv2.
Troubleshooting: see the links below to disable obsolete protocols on your servers
Since the version 41 of Chromium, a yellow triangle appears on the padlock when the certificate delivered by the server is still signed with SHA1 hash algorithm and expires after January 1st, 2017.
More about SHA1: Depreciation scheduled for 2017
Troubleshooting: Reissue the certificate in SHA256 or renew it.
2016-03-02 - DROWN Attack
A new attack recently published exploits SSLv2 support on servers. It concerns all protocoles based on SSL/TLS. Servers using Openssl versions inferior to 1.0.1f and 1.02g are especially vulnerable. We strongly recommend disabling SSLv2.
TLS 1.0 and TLS 1.1
TLS 1.0 and TLS 1.1 protocols have been replaced byr TLS 1.2 in 2008 that should be used since then.
Those 2 protocols must now disappear for security reasons and several browsers have already announced their deprecation as of March 2020.
Their weeknesses (among others) :
- they require implementation of older cipher suites
- lack of support for current recommended cipher suites
- integrity of the handshake depends on SHA-1 hash
- authentication of the peers depends on SHA-1 signatures
It makes them vulnerable to Man In The Middle (MITM) attacks allowing a third part to intercept, modify and decypher transferred data.
Useful links
- DROWN - Security vulnerability using the SSLv2 protocol
- Poodle : a vulnerability affecting SSLv3 protocol
- SSLv3 Deactivation on Paypal
- Disable SSLv2 and SSLv3 under IIS
- Disable SSLv2 and SSLv3 under IIS 8.5
- Disable SSLv2 and SSLv3 under Apache
- Disable SSLv2 and SSLv3 on Tomcat
- Install a certificate for Nginx
- Test your web sites with CopiBot
- TLS 1.2 will be mandatory as of March 2020
- Activate TLS1.2 on IIS7.5
- How to disable SSLv3
On web browsers : Chrome and Chromium, Windows, Linux / Unix, Mac OS X, Mozilla Firefox, Safari, Internet Explorer, Opera
web servers : Apache, IIS, Nginx, Lighttpd,
mail servers : Sendmail, Postfix, Dovecot, Courier-imap,
and other : Java, NodeJS, Puppet, HAProxy ... - PDF Document from ANSSI : SSL/TLS: inventory and recommendations