SSL/TLS Implementation Validation Analysis

SSL/TLS implementation validation is performed to detect the use of known weak encryption methods or hash functions.  An example of this is SSL v2,which should no longer be used due to known vulnerabilities. Other errors that need to be verified include the use of a symmetric encryption algorithm with keys less than 128 bits, X.509 certificates that use a public key of less than 1,024 bits, and the MD5 hash function, which is known for successful collision attacks. It is also important to check the timeliness of the certificate used and the correctness of its signature by a trusted CERTIFICATION AUTHORITY. You can use a tool called a tool testssl.sh called . This is a free program created by Dirk Wetter. It is supported from the command line. It checks the service of a given server on any port for support for TLS/SSL encryption, protocols, and cryptographic vulnerabilities. The figure below shows the scan result of one of the applications being tested. The result of scanning the SSL/TLS implementation with the testssl.sh

Figure. The result of scanning the SSL/TLS implementation with testssl.sh. Source: [Own study]

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!).
Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Podziel się swoją opinią na temat artykułu