[HN Gopher] After 28 years, SSLv2 is still not gone from the int...
___________________________________________________________________
After 28 years, SSLv2 is still not gone from the internet
Author : 1970-01-01
Score : 31 points
Date : 2023-10-26 15:22 UTC (1 days ago)
(HTM) web link (isc.sans.edu)
(TXT) w3m dump (isc.sans.edu)
| 1970-01-01 wrote:
| HN insists on breaking the correct hyperlink.
|
| https://isc.sans.edu/diary/After+28+years+SSLv2+is+still+not...
| dang wrote:
| It's because the page says <link
| rel="canonical" href="https://isc.sans.edu/diary/0" />
|
| which is presumably incorrect. I've fixed the link above
| manually now.
| pixl97 wrote:
| So the number is like 250ish sites. Are these real sites or
| honeypots/test boxes of some kind?
| BoppreH wrote:
| In trying to catch this type of problem on my turf, I built my
| own scanner after getting frustrated with the current options
| (*cough* testssl.sh and its 24kloc of bash *cough*):
|
| https://github.com/boppreh/hello_tls
|
| The cool thing is that you only need Client/Server Hello, before
| any cryptography happens. So the tool is written in pure Python
| (and pyOpenSSL if you want certificate info), and works as a
| library and standalone tool. I'm frequently adding new features,
| so suggestions and bug reports are appreciated.
| hsbauauvhabzb wrote:
| Iirc browsers now warn if tls 1.1 or lower - this warning is a
| similar page to when there is an invalid cert, but you cannot
| click through - you need to explicitly disable a config flag to
| ignore.
|
| So what's the real world impact of a server running sslv2?
| TedDoesntTalk wrote:
| None.
___________________________________________________________________
(page generated 2023-10-27 23:00 UTC)