BEAST attacs and SSL

Discussion in 'BlackHat Lounge' started by xenoxen, Aug 28, 2012.

  1. xenoxen

    xenoxen Jr. VIP Jr. VIP

    Joined:
    Jul 22, 2009
    Messages:
    917
    Likes Received:
    219
    Gender:
    Male
    Occupation:
    Co-Founder Expired1.com
    Location:
    Europe, Poland
    Home Page:
    Hey guys,

    So I got a msg from my client about his shop. We installed him SSL 3.0 a few days ago and now he has msg from that guy telling him that his server is volurenable to BEAST attacts : ( https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls ) . Already took a minute to make a test here : https://www.ssllabs.com/ and the website do not have TLS 1.1 TLS 1.2 - what should I do ? Ask hosting provider to provide new certificates to secure that protocols?

    Maybe you had situation like this - I'm not an expert in SSL and server security things.
    Already e-mailed the hosting company to get an advice.

    What do you think?

    Thanks!
     
  2. necro

    necro Regular Member

    Joined:
    Dec 23, 2010
    Messages:
    313
    Likes Received:
    194
    How much i understand, is this a problem which is server side.

    Just ask your hoster if they could test it and if they can fix it.
     
  3. mortazavi71

    mortazavi71 Newbie

    Joined:
    Aug 27, 2012
    Messages:
    45
    Likes Received:
    5
    Home Page:
    Just get the new root certs from the SSL provider and add it to your server using your control panel like cPanel or DA.
    It's a simple copy and paste issue...
     
  4. xenoxen

    xenoxen Jr. VIP Jr. VIP

    Joined:
    Jul 22, 2009
    Messages:
    917
    Likes Received:
    219
    Gender:
    Male
    Occupation:
    Co-Founder Expired1.com
    Location:
    Europe, Poland
    Home Page:
    Thanks guys. I will email again host provider. Do we have to buy next certificate for this? Already paid for SSL - is there another one for TLS 1.1 and/or TLS 1.2 ?
     
  5. necro

    necro Regular Member

    Joined:
    Dec 23, 2010
    Messages:
    313
    Likes Received:
    194
    Hey,

    how i read the article it sounds like there is a exploitable function in OpenSSL, which is free. I think the certificate wont be affected.

    Greetz