We now know how to test for SSLv2. How do you fix it?

IIS6: Well, go ask Microsoft. It is a registry edit and not a GUI option.

Apache http.conf: “SSLProtocol +All -SSLv2” or even “SSLProtocol -All +SSLv3” Further cipher tinkering can be done with the SSLCipherSuite directive.

For everything else, you need to consult documentation. In my case, I have Citrix Netscaler load-balancers in front of my web servers. In the port 443/SSL vservers->SSL tab->SSL Parameters, I would uncheck “SSLv2” and uncheck “Enable SSLv2 URL.” That second one is just the redirect for browsers wanting to make SSLv2 connections when SSLv2 is not wanted. Of course, this can also be done via SSH.

A common question on security surveys and often an item auditors love to point out because it’s “easy” is the question of SSLv2/3 support. SSLv2 is insecure and shouldn’t be used. Various sources can describe (pdf) the issues better than I, but I will say I don’t know if anyone has made SSLv2 attacks very practical, even if browsers dropped to SSLv2 anymore.

So how do you check what SSL version your web site supports?

1. SSLDigger available as a free Foundstone tool
SSLDigger is a GUI tool that accepts a site (or IP) and digs on the supported SSL ciphers. A nice tool, but it actually gives no distinction between what is SSLv2 and what is SSLv3. However, it does rate ciphers on how weak they are, which can be a nice guide if you’re digging down that deeply and enabling or disabling various individual ciphers.

2. THCSSLCheck
THCSSLCheck is a Windows command-line tool. THCSSLCheck takes things a step further and groups ciphers based on their SSL version, which is a nice indicator. Very clean!

3. OpenSSL
Yup, OpenSSL (Windows and Linux) can also check SSL strength, and might be the easiest test to understand. It also gives some content that it receives from the website. This is helpful if you have a proxy, filter, or load-balancer in the way that redirects SSLv2 connection attempts. The above two tools simply determine whether a cipher negotiation was successful, but they do not report any context. In my case, I have load-balancers in front of my web servers that answer to SSLv2 connections with a landing page saying we don’t support SSLv2. So, yes the scan showed a positive, but it’s not a real positive. OpenSSL will catch this if you wait a bit and hit enter a few times.

openssl s_client -connect www.mysite.com:443 -ssl2

I recently got into X-Box Live (XBL) multiplayer matches in Left 4 Dead and this weekend Call of Duty: World at War.* I’ve been so far having a good time, but there is something missing in XBL multiplayer that I loved in my previous years of PC gaming.

I used to play Quake 1, Unreal Tournament I, and even the first Call of Duty, all on the PC. When you played multiplayer on those games, you would somehow get a list of servers hosting games and choose one based on various criteria, most likely latency, game settings, player population, and even reputation of the server. When you found a game that played well and was fun, you usually wrote it down or saved it as a favorite. This resulted in a list of frequented servers you played on.

Over time, I became a regular on my preferred servers, and I got to see other regular who were around on that server too. In fact, eventually you get to chatting with them and form a sort of gaming friendship (or rivalry). This was excellent as you could play with and meet several other players over time. This occurred in all three of those games I played majorly, and always resulted in clan invites, friendships made, and carry-over into IRC, forums, and IM. Sometimes you could play weeks before finally actually talking with another regular and chatting it up, having fun, etc. Every now and then you would even learn of other servers your friends liked, and thus expand your exposure.

In XBA, you typically dive into the multiplayer games and get thrown into a random game with a slot open, which is likely just an ad-hoc host in a farm of host servers. There are no server names, no preferences, no continuity to the multiplayer gaming experience; no home “turf.” If you want to make friends, you have to do so in the small window of time that you’re both in that particular game instance. And even then, you may not be playing on the same team on the next 3 maps!

Last night in Call of Duty there were over 200,000 people playing, and maybe 35,000 in my game type (Team Deathmatch since I’m new). The chances of me seeing any repeat action from players I’d seen before are exceedingly slim. Even in Left 4 Dead, I’ve only had a repeat player once (notably we both remembered each other).

The way you play repeat games is to friend people you play with, immediately. This results in a watered-down friends list full of people you barely know, friending everyone you possibly could stand to play with again. And vice-versa (considering I still suck, I doubt this is a 2-way street yet!). Even then, you still usually have to join the games as an XBL party or risk playing against them or not at all because their game is full. This can make bad choices in friending people be awkward moments where you’d rather avoid them…

I wonder how clan matches work in this setting? Maybe I’m still missing things in my limited exposure…

Still, there is something to be said about the continuity of the gaming experience and community that forms from discrete servers. It would be nice if XBL had named servers, and if capacity was larger than the named ones, then maybe ad-hoc hosts can spring up for peak times to get all those people looking for a random game. Or just have such a huge pool of “server” names that they never run out.

“Aldaraan #10” is the place to be Friday nights!

* It is already annoying enough to hear 8 year old boys talking with impunity in game, let alone a game that now and then says, “Good fucking job, marines!” I find that many of my jokes and game jabber may not be suitable…

Fun times continue with PCI DSS. Anyone with an idea of security saw all of this coming (and this can be applied to any security checklist…):

1. PCI “compliant” firms suffer breach.
2. Companies/people question PCI.
3. PCI blames firms for not being perfect every moment of every day.*
4. PCI DSS is only guidelines, checklists, that don’t actually DO the securing in and of itself

We’ve all just been waiting for more inevitable data points on the grid of this argument.

The argument revolves around how PCI markets their DSS and how people accept it. If PCI markets it as a rubber stamp approval of ultimate security, they fail. If people expect PCI to be perfect, they fail. PCI can fix this by simply adding the byline: “…this is where you start with security, but this is not alone a guarantee of security.”

Of course, we all know how that will be taken: “If it’s not perfect, it’s useless!” Which is an immature (or common business) argument in a realm where perfection is not possible. Sadly, and this is where the media sucks (and rightly milks it for the hits/attention) and the General Public only has immature thoughts about security. But still, PCI fails for allowing the perception that its DSS will save you, even if that was their intention in the first place.

PCI is no better than any checklist or list of best practices.

* PCI can weasel out of any blame any given day. Just blame the QSA and/or the firm. This is another “law” of security, not just cyber but every sort of security from war efforts to the war on drugs: You can always naysay because there is no ultimate “win” and no ultimate definitions. Another “law” illustrates this, “You *will* suffer a security incident.”