Archives
-
Enforcing SSL 3.0 and removing weak encryption vulnerability over SSL ( IIS 6.0 and ISA )
Running a Custom Penetration test on IIS 6.0 server having SSL enabled may show vulnerability reports as a weak encryption on IIS . ISA server 2000 acts as proxy in front of the IIS server and also has certificate installed on it. The following is the error report generated by the Custom penetration test when we have already forced SSL 3.0 , however still have the weak encryption keys supported on the server , which may be used by attackers to exploit man in the middle like attacks on the server.