10

From Hackers break SSL encryption used by millions of sites:

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike

Is this true? Are there any statistics that can confirm that many sites/webbrowsers are still using TLS 1.0?

Jonas
  • 5,163
  • 7
  • 33
  • 35
LanceBaynes
  • 6,209
  • 12
  • 60
  • 92
  • 2
    There was/is a site out there that lists the top n sites still running insecure versions... wish I remembered what it was! – Steve Sep 20 '11 at 16:52
  • @SteveS That was probably for SSL 2.0? Pretty much everything supports SSL 3.0/TLS 1.0. – Shane Madden Sep 21 '11 at 05:50
  • http://support.mozilla.com/en-US/questions/781028 – LanceBaynes Sep 21 '11 at 07:58
  • So Google Chrome doesn't support TLS 1.1, 1.2, Firefox doesn't support TLS 1.1, 1.2, But ie9 does. epic fail. – LanceBaynes Sep 21 '11 at 08:08
  • @Lance: While IE9 has support for TLS 1.1 and TLS 1.2, only TLs 1.0 and SSL 3.0 is activated per default. TLS 1.1 and TLS 1.2 need to be activated manually in the settings. – Jonas Sep 21 '11 at 08:51
  • @Jonas but still... Usually that was Microsoft who made security fails like LM/NTLM authentication used even now. – Smit Johnth Mar 19 '13 at 02:07

2 Answers2

9

Yes, nearly everyone is still using SSL 3.0 or TLS 1.0. Ivan Ristic from Qualys did a nice talk at Blackhat about that this year.

As to whether or not the attack is real, I understand that it is indeed real, although there is some debate at the moment about its impact, since the details have not been made public yet.

UPDATE- We're recommending to our customers that they bump rc4 to the top of the ciphersuite list, since it won't be vulnerable to this attack. After a day's research, the attack looks both plausible and potentially severe.

For Apache, something like this should do it:

SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:RC4-SHA:RC4-MD5:ALL
SSLHonorCipherOrder on
Steve Dispensa
  • 3,441
  • 16
  • 20
  • 1
    There are quite a few details here: https://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611 Not enough to reproduce the attack, but much more than the Register article. – user502 Sep 20 '11 at 17:11
  • Can you provide a reference saying that RC4 isn't vulnerable? – makerofthings7 Sep 20 '11 at 21:54
  • 1
    RC4 is a stream cipher, and therefore doesn't use a construct like CBC. All block ciphers using CBC appear to be vulnerable. There aren't a lot of good references yet; this is largely the result of internal research and an emerging consensus on the Internet. Don't take my word for it, though - use this as a starting point to form your own conclusion. – Steve Dispensa Sep 20 '11 at 22:20
  • For some very late-breaking stuff, several folks are talking about rc4 on twitter at the moment. – Steve Dispensa Sep 20 '11 at 22:23
5

Sure. Ivan Ristic from Qualys has some detailed analysis. The short version is that very few web sites support TLS 1.1 or TLS 1.2. Here's one overview he's provided:

statistics on SSL protocol support

Here's a related overview that appeared in The Register:

more statistics on SSL protocol support

For more detail, see the Qualys 2010 SSL survey and the G-SEC SSL hardening and compatibility survey.

D.W.
  • 98,860
  • 33
  • 271
  • 588