This document is not intended to be a definitive guide, but more of a review of the specific commonly identified issues resulting from the inappropriate deployment of SSL certificates on internal services within a corporate environment. Continue reading
As it stands, SSL is in a bad way. First BEAST, then CRIME, followed by weaknesses highlighted in the RC4 cipher which was proprosed as a workaround to the previous attacks have left SSL version 3 and TLS version 1 in a bind. At present, the most practical recommendation is to use RC4 as the only cipher on SSL3 and TLS1 connections. This is far from ideal, given that RC4 is a weak cipher, and vulnerable to a bias attack. Continue reading