If you run a secure site on IIS 6, note that the legacy SSL 2.0 protocol is enabled by default. SSL 2.0 has been superseded by SSL 3.0 and you’d want to disable it for the following reasons.
The Downgrade Attack: SSL v2 has no notion of integrity checking for handshake packets. Thus, an attacker could change the algorithms and key lengths chosen by the client while the appropriate handshake message was on the wire. This can result in a weak SSL connection being setup between the client and the server even though this is not what the two intended. Armed with this weak connection, the attacker could log all the traffic going by during the data exchange and could then use a brute force application to attack the weak encryption.
The Truncation Attack: SSL v2 does not allow the parties involved to distinguish when the connection is ended by one of them or by a malicious third party. Thus an attacker can freely interrupt secure client-server connections. If the attacker additionally understands the application, the semantics and ordering of messages being exchanged, then he/she can potentially alter the meaning of a message by interrupting the connection at precisely the correct instant.
Instructions for disabling SSL 2.0
- Open the registry editor and navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\Protocols\SSL 2.0
- Under the Client key set Enabled DWORD value to 0×0
- Under the Server key set Enabled DWORD value to 0×0
If you hire someone to run a penetration test on your server/web site, this is one of the things they look out for. Eliminating it right from the start would prevent this blemish on your pen test report.
References
http://support.microsoft.com/?kbid=245030
Comments