1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEAST attacs and SSL

Discussion in 'BlackHat Lounge' started by xenoxen, Aug 28, 2012.

  1. xenoxen

    xenoxen Jr. VIP Jr. VIP

    Joined:
    Jul 22, 2009
    Messages:
    810
    Likes Received:
    188
    Occupation:
    online.
    Location:
    Europe
    Home Page:
    Hey guys,

    So I got a msg from my client about his shop. We installed him SSL 3.0 a few days ago and now he has msg from that guy telling him that his server is volurenable to BEAST attacts : ( https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls ) . Already took a minute to make a test here : https://www.ssllabs.com/ and the website do not have TLS 1.1 TLS 1.2 - what should I do ? Ask hosting provider to provide new certificates to secure that protocols?

    Maybe you had situation like this - I'm not an expert in SSL and server security things.
    Already e-mailed the hosting company to get an advice.

    What do you think?

    Thanks!
     
  2. necro

    necro Regular Member

    Joined:
    Dec 23, 2010
    Messages:
    292
    Likes Received:
    189
    How much i understand, is this a problem which is server side.

    Just ask your hoster if they could test it and if they can fix it.
     
  3. mortazavi71

    mortazavi71 Newbie

    Joined:
    Aug 27, 2012
    Messages:
    45
    Likes Received:
    5
    Home Page:
    Just get the new root certs from the SSL provider and add it to your server using your control panel like cPanel or DA.
    It's a simple copy and paste issue...
     
  4. xenoxen

    xenoxen Jr. VIP Jr. VIP

    Joined:
    Jul 22, 2009
    Messages:
    810
    Likes Received:
    188
    Occupation:
    online.
    Location:
    Europe
    Home Page:
    Thanks guys. I will email again host provider. Do we have to buy next certificate for this? Already paid for SSL - is there another one for TLS 1.1 and/or TLS 1.2 ?
     
  5. necro

    necro Regular Member

    Joined:
    Dec 23, 2010
    Messages:
    292
    Likes Received:
    189
    Hey,

    how i read the article it sounds like there is a exploitable function in OpenSSL, which is free. I think the certificate wont be affected.

    Greetz