Download Netsparker
Pricing
Blog
Contact
Netsparker

Insecure Security Protocol Supported by Target Web Server

Netsparker detected that insecure transportation security protocol (SSLv2) is supported by your web server.

SSLv2 has several flaws. For example, your secure traffic can be observed when you have established it over SSLv2.

Impact

Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors.

Remedy

  1. Configure your web server to disallow using weak ciphers.
  2. For Apache, you should modify the SSLProtocol directive in the httpd.conf.
    	SSLProtocol -ALL +SSLv3 +TLSv1
    
  3. For Microsoft IIS, you should make some changes on the system registry.
    • Click Start, click Run, type regedt32 or type regedit, and then click OK.
    • In Registry Editor, locate the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL2\
    • Locate a key named "Server." If it doesn't exist, create it.
    • Under the "Server" key, locate a DWORD value named "Enabled." If it doesn't exist, create it and set it to "0".

External References


Go back to the Complete list of Vulnerability Checks.