SSL Browser Check

Forum Moderators: open

Message Too Old, No Replies

SSL Browser Check

tonynoriega

2:16 pm on Mar 25, 2010 (gmt 0)

We are going to add a script to our site that checks browser versions to see if they are compatible with SSL 3.0, my DEV team gave me this to implement. From what i understand SSL 3.0 does not work with IE 5 and earlier?

also what i want to do is, instead of a basic javascript alert, maybe create a dialog box with some actual links i can put to the latest version of IE for them to upgrade?

is what i was given below the best tactic?

:

<script type="text/javascript">

var b_version = navigator.appVersion;

if (b_version.indexOf("MSIE 5.5") != -1) {
requirementsMet = true;
}

if (b_version.indexOf("MSIE 6") != -1) {
requirementsMet = true;
}

if (b_version.indexOf("MSIE 7") != -1) {
requirementsMet = true;
}

if (b_version.indexOf("MSIE 8") != -1) {
requirementsMet = true;
}

if (requirementsMet == false) {
alert("Your browser does NOT meet requirments for SSL 3.0. You need to upgrade your browser.");
}

rainborick

2:29 pm on Mar 25, 2010 (gmt 0)

I'd suggest that you check for the presence of "MSIE" and then parseFloat the value of the version string to check for >= 6, rather than single test for specific versions. Your code will last longer and will survive any incremental version updates that might occur.

whoisgregg

2:30 pm on Mar 25, 2010 (gmt 0)

Anyone can circumvent this type of check by simply modifying their user-agent string. It's considered "best practice" to check for the feature itself instead of detecting the browser/version.

I don't think JavaScript can direclty test for SSL 3.0 support, though. Apache can tell you the size of the cipher key currently in use. More info on that on this page:
[httpd.apache.org...]

Fotiman

3:06 pm on Mar 25, 2010 (gmt 0)

Also worth noting, your test doesn't specify what happens when a non-IE browser visits the site. Also, I think that the assessment that IE5 does not support SSL 3.0 may be incorrect, so you should look into that.

tonynoriega

4:24 pm on Mar 25, 2010 (gmt 0)

@rainborick Agreed.

@Fotiman according to our internal audit:
"Audit Finding:
Weak SSL version - The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Specifically, the web server accepts connections encrypted using SSL 2.0, which suffers from several cryptographic flaws and has been obsolete for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Usually, the weak options are available for backward compatibility but give users a false sense of security."

"The way to solve the issue is to make a change to a registry setting that may cause issues for anyone using a version of Internet Explorer that is older than IE6 to access our company website. I would find it hard to believe anyone is still using IE5 or older but it could happen."

i am researching this now.

rocknbil

6:16 pm on Mar 25, 2010 (gmt 0)

Specifically, the web server accepts connections encrypted using SSL 2.0, which suffers from several cryptographic flaws and has been obsolete for several years.

I recognize this, it is, or similar to, one of the fail flags in a SecurityMetrics scan. This is something you want to address on your server, Javascript or even server side programming is not going to fix it.

This is about a weakness in your server that needs to be fixed. Attacks that would exploit this weakness aren't going to come from a browser, they're going to come from command line or an automated program.

"The way to solve the issue is to make a change to a registry setting that may cause issues for anyone using a version of Internet Explorer that is older than IE6 to access our company website. I would find it hard to believe anyone is still using IE5 or older but it could happen."

Knowing the first, I seriously have to question the validity of this entire statement. I'm no expert on this stuff, I have an administrator who does all the "fixing," but a "fix" of this nature would still fail a SecurityMetrics scan.

Edit: A search for "weak ciphers" turns up some relevant results to support my statement.