Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
Brought to you by:
niallg
Menu
▾
▴
Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
|
From: Kai S. <sch...@gm...> - 2011-01-11 07:20:59
|
Hey Andy, I'm not very experienced with Java's cryptography, all I know is that is a den of wizards that hide a maze. As far as I understand, the audit complains that you are too permitant in how you allows clients their access. Depending on what sort of business you're in, you should either freak out or feel comforted. In the public domain, many people use "not so good" cryptography. MD5 hashes is a great example. It's hackable. Is there better? yes. is it really worth the trouble to upgrade? Well, in time, yes. Is the upgrade immune to hacks? Yes, for the time being... ... ... In the private / military domain, any infringement or security risk is worth mentionning. Anyway... in your app, run a full printout on the System class. uhm... use retrospection if you have to. It'll print out tons and tons of data. You'll find loads of stuff that would worry you if you were military hehe. but really, it's in your OpenSSL Library... have a look at www.openssl.orgfor further info :) -k (being my useless self) On Mon, Jan 10, 2011 at 5:07 PM, Andrew Barlow <and...@sd... > wrote: > We have just received the results of a security audit on a system that we > developed which uses Simple 4.1.21 to deliver content over SSL. > > The finding was: > > "Three weak SSL ciphers were noted as being supported by the web server. > These ciphers all used a symmetric key length of 56 bits or less and are > considered unsuitable for use by a financial services application. > OpenSSL name: EXP-DES-CBC-SHA > Detailed information: Key Exchange: RSA(512); Authentication: RSA; > Encryption: DES(40); MAC: SHA1 > OpenSSL name: EXP-RC4-MD5 > Detailed information: Key Exchange: RSA(512); Authentication: RSA; > Encryption: RC4(40); MAC: MD5 > OpenSSL name: DES-CBC-SHA > Detailed information: Key Exchange: RSA; Authentication: " > > and the recommendation was that the server be configured to remove these > weak ciphers. > > Is this something we do in Simple, or do we make changes in the Java > keystore? > > Does anyone have any experience of this? > > Andy Barlow > > > * > > * > > > > > > ------------------------------------------------------------------------------ > Gaining the trust of online customers is vital for the success of any > company > that requires sensitive data to be transmitted over the Web. Learn how to > best implement a security strategy that keeps consumers' information secure > and instills the confidence they need to proceed with transactions. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > > |
