Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] KDE's konqueror chooses low-security SSL ciphers by de

from [Ralf Hildebrandt] Network Security [Permanent Link]
Subject: [Full-Disclosure] KDE's konqueror chooses low-security SSL ciphers by default
Date: Fri, 26 Nov 2004 23:48:50 +0100 
Konqueror doesn't use the strongest cipher available if connecting using https. 

This was first spotted by Fridtjof Busse in
http://bugs.kde.org/show_bug.cgi?id=86332
go there for the gory details.

E.g. konqueror uses 128bit RC4-MD5 even if 256bit AES is supported on both
sides.  Firefox on the same machine automagically uses the strongest cipher
(in this case AES-256). 

Problem: Instead of relying on the built-in autonegotation and
auto-selection that OpenSSL offers, a hardcoded list of ciphers is being
used. This list chooses low-strengh ciphers by default to be compatible with
broken servers.

This way, one cannot take neither take advantage of new ciphers (since
recompilation is required), nor of the strongest encryption possible.

Lutz Jänicke, OpenSSL developer says:

"I do not think that I understand this mess. I don't like code that bypasses
the given API (see the meth->get_cipher) access... man SSL_get_ciphers and
friends may help. 
I would rather recommend to simply leave the cipher selection to the
OpenSSL library (from time to time we do think about our default
settings)... "

-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)          Ralf.Hildebrandt@charite.de
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF                 send no mail to spamtrap@charite.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] KDE's konqueror chooses low-security SSL ciphers by default, Ralf Hildebrandt <=
Previous by Date:  Re: [Full-Disclosure] Mailing lists and unsolicited/malicious spam, Andrew Farmer
Next by Date:  Re: [Full-Disclosure] Mailing lists and unsolicited/malicious spam, Valdis . Kletnieks
Previous by Thread:  [Full-Disclosure] Immunity, Inc. Advisor, Nicolas Waisman
Next by Thread:  [Full-Disclosure] "<01><02>_msbro"?, Daniel H. Renner
Indexes:  [Date] [Thread] [Top] [All Lists]