22 Feb 2014 | > | AmiSSL 3.6/3.7 and IBrowse 2.4 HTTPS vulnerabilitiesHarry Sintonen has released an advisory document detailing some flaws and vulnerabilities in AmiSSL 3.6 and 3.7, used by IBrowse to support secure connections, and IBrowse 2.4's HTTPS implementation.We advise that you should disable "SSLv2 support" on the "Security" page of the IBrowse preferences. And also in that section, on the "Ciphers" page, ensure that DES, 3DES (Encryption), MD5 (MAC) and Export (Cipher grade) are all disabled. These are enabled by default in IBrowse 2.4.Additionally, you may wish to enter the following command in a shell: "setenv save AmiSSL/SSL_CLIENT_VERSION ssl3" - this will disable SSL 2.0 globally in AmiSSL itself so will get applied to all other applications using AmiSSL (not just IBrowse).The IBrowse Development Team thank Harry for bringing these issues to our attention, and we will make any required fixes and HTTPS improvements for IBrowse 2.5. Hopefully, a new version of the now open-source AmiSSL will be released at some point, updated to use the very latest version of OpenSSL. |