-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit or review Ncat's use of SSL/TLS #31
Comments
Nice. It's worth noting, I think, that Ncat is a lot different than a web browser in terms of security expectations. In particular:
I still think this assessment is important, just noting that we don't need to necessarily be as strict as web browsers in enforcing SSL/TLS best practices. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nmap tends to view SSL/TLS as just another communication protocol to be negotiated, so we don't do certificate verification or try to prevent downgrades: we just want to be able to talk to the maximum number of services possible.
Ncat is different: SSL is offered as a security feature. We need to make sure we are making wise decisions here. We are way behind the curve in comparison to web browsers, in terms certificate verification, OCSP stapling, certificate pinning, revocation checking, etc. We have a decent set of supported ciphers (and now allow users to override it), but we also support SSLv3 and don't offer a way to change that.
This task is to perform at least an initial assessment of how Ncat meets or falls short of what is expected of an SSL client (and server, really, because we offer that, too). Assumption can be made that we are working with the latest version of OpenSSL, because that is what we use in our binary packages (Windows and Linux RPM. Not sure of OS X .dmg?)
The text was updated successfully, but these errors were encountered: