Encryption

TLS 1.0 Initialization Vector Implementation Information Disclosure Vulnerability

our services

SSLv3 and TLS1.0 implementations using Chained-block ciphers (CBC) may be vulnerable to plain-text recovery attacks. When predictable IVs are used in CBC mode, an attacker can leverage this in more advanced attacks as demonstrated in the ‘BEAST’ attack.
More information can be found at the following URL: https://technet.microsoft.com/library/security/ms12-006

Remediation

There are two ways to remediate this issue:

Option 1

Disable TLS 1.0 completely to enforce TLS 1.1 and TLS 1.2.

Option 2

Leave TLS 1.0 support enabled, but disable Chained Block Ciphers.

IIS Instructions

Microsoft has published the following KB article for disabling encryption protocols within IIS:
https://support.microsoft.com/en-us/kb/187498

We
Are
Changing
The
Way
Pentesting
Is
Done
  • Application
  • Network
  • Mobile
  • AWS