Downgrade the protocol #4
Assignees
Labels
Comments
|
Okay, I finally found a way ! but in chrome, not firefox 😆
This is the capture of the wireshark traffic, the proof : I will implement the downgrade method during the next week and push the code after ! 😄 |
|
It will be very helpful. Please let me know when it's available. |
|
Any updates related to pushing the code will be very helpful 👍 |
|
|
|
can't wait to test it 👍 |
mpgn
added a commit
that referenced
this issue
May 2, 2018
mpgn
added a commit
that referenced
this issue
May 2, 2018
|
How it works ? during the handshake (after the hello client), the exploit send a handshake_failure 15030000020228 then the browser should resend a hello client with SSLv3.0 as default protocol. Tested on chrome version 15 but it's not working on Firefox (I think he doesn't support protocol renegotiation) |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
For now and after many attempt, I didn't find a proper way to downgrade the protocol to SSLv3 if TLS was negotiate first. (with old version of openssl/browser) that didn't support TLS Fallback SCSV.
Sending a Handshake failure during the handshake was not working for example with firefox. I also didn't find a real example internet.
The text was updated successfully, but these errors were encountered: