Microsoft releases fix-it tools for SSL / TLS vulnerabilities

Microsoft releases fix-it tools for SSL / TLS vulnerabilities

The software giant Microsoft has issued a warning in which he points to the potential espionage risks when used in combination with the AES CBC mode. Microsoft suggests as a workaround before the change to using the RC4 stream cipher that reported for the Chosen-plaintext attack is not vulnerable. Microsoft has released a tutorial for it.

For the use of RC4, the administrator would have the list of cipher suites example TLS_RSA_WITH_RC4_128_MD5 quite put forward so this CipherSuite is proposed as the client first. Whether this is accepted, however, another matter. Microsoft proposes to rely on before the switch to TLS 1.1.

For this, the Redmond company has released two fix-it tools that enable TLS 1.1 in Internet Explorer and Windows servers. By default, only TLS 1.0 is enabled, even though as Internet Explorer, TLS 1.1 and TLS 1.2 support. The options can be there without a fix-it tool under Internet Options / Advanced set or delete. On Windows servers, manual configuration is somewhat tedious, since one has to change in the specific registry key for the Secure Channel (schannel). Therefore recommended that it imposes the use of fix-it tools.

The Firefox developers are discussing the meantime remember how to solve the problem best, without compromising compatibility with web servers. However, they are already doing that since the end of June. At that time, Thai Duong was referred to the developer Dan Veditz already looming on the problem and how can we exploit the vulnerability with WebSocket and Java applets. Firefox currently supports only TLS 1.0.