A vulnerability has just been discovered in https, specifically in the Diffie-Hellman key exchange. This arose from the old export restrictions set by the US, so that its law enforcement and security agencies could break encryption used by foreign entities. Ars Technica, as usual, has a good write-up.
The researchers who discovered the flaw have a dedicated website which gives pointers on what to do if you run a web server, or just a browser. They have a server scanner, or you can use the one at Qualys SSL Labs.
Ivan Ristić has some more detail on increasing the strength of DH on Apache. Unfortunately, it may not be supported by the version of Apache you happen to have running.
How-to's and technical news about Linux and open computing, with a sprinkling of Python.
Showing posts with label https. Show all posts
Showing posts with label https. Show all posts
2015-05-20
2014-10-15
Another SSL vulnerability - The POODLE Attack
From the Mozilla Security Blog:
Scott Helme has a good run down on how to fix this issue, for various servers and browsers.
SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information.Under RHEL 6.5 with Apache httpd, edit /etc/httpd/conf.d/ssl.conf and make sure the protocol line disables both SSLv2 and SSLv3:
SSLProtocol all -SSLv2 -SSLv3or you can just specify TLS only:
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2Ars Technica has a good explanation.
Scott Helme has a good run down on how to fix this issue, for various servers and browsers.
Subscribe to:
Posts (Atom)