![]() You really shouldn’t be using them however, don’t just use TLS and consider that enough to offer a good security posture. used with it) are widely considered as insecure. Ignoring our post-PRISM world for a moment (everyone is anyway right?) from a technical standpoint SSLv2 and SSLv3 (regardless of the ciphers etc. If you’re reading this article and you’re responsible for and careabout the privacy and security of your traffic, please keep in mind that SSL/TLS, in reality, presents no more than a façade of security today in the same way money apparently represents real value and different sex marriages normality and stability.Ī year on from the Wireshark version of this article and these comments, Heartbleed and POODLE still top the security pop charts and things have only gotten worse. However, there are plenty of other reasons to consider it insecure. If security and safety are only worthwhile if there’s profit involved, well… Isn’t SSL/TLS Secure?ĭon’t let this article give you the impression it’s not as you’ll see from the next section, there’s a good deal of requirements that must be met. Conflict of interest perhaps – if so, that’s sad and perhaps a comment on our culture. ![]() If they can all contribute time, money and resources to ODL, why the heck can’t our favourite and/or trusted companies, vendors and ‘partners’ support the security realm a bit more too. That, or they rely on other tools that don’t. seems to rely on far too many tools and packages the authors of which simply don’t have the resources to maintain to a high standard. Another free tool, another simple error waiting in the wings to cough bleed you dry? Not in the same league but really, security and it’s analysis etc. +1 To the authors and the architecture of tools like this (including the original author, Eric Rescorla who has contributed to a significant number of RFCs (the last in 2013) but who also unfortunately played a part in Dual EC DRBG). ![]() You might note that ssldump hasn’t been updated in a major way for over a decade (but has been ‘patched’ as late as 2013) not a problem, it still works a treat. This tool ‘saved the day’ I can tell you. I’ve had cause to use this tool recently where writing a tcpdump to file and using Wireshark simply hasn’t been possible/permitted. Aside from the obvious advantages, immediacy and efficiency of a CLI tool, ssldump also provides some very useful, nicely parsed data around the SSL/TLS connection itself too. ![]() This is a straight copy of my popular Using Wireshark to Decode/Decrypt SSL/TLS Packets post, only using ssldump to decode/decrypt SSL/TLS packets at the CLI instead of Wireshark. Who needs the Wireshark GUI right let’s do this at the command line and be grown up about things. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |