February 16, 2017
Doctor Web's technical support has received multiple queries from Dr.Web software product users who simultaneously use online banking applications that utilise the insecure SSLv2 protocol. To respond to all those queries and curtail the need for our users to ask such questions in the future, we’ll describe the issue in detail here in this news post.
Currently, because of multiple vulnerabilities in SSLv2, this protocol, as well as the applications that utilise it, is not secure.
Specifically, systems that use the protocol are vulnerable to MITM (man-in-the-middle) attacks as well as attacks that enable intruders to alter the course of data transfers. The MD5 caching routine of SSLv2 has also been compromised and is deprecated.
SSLv2 has been known to be insecure for quite a while. As long ago as 1996, it was superseded by SSLv3, which in turn was also found to be vulnerable (CVE-2014-3566). SSLv2 was officially rated as obsolete in 2011, in accordance with RFC 6176. Because of this, whenever a connection is established via SSLv2, Dr.Web notifies users about the danger.
Dr.Web user support requests clearly indicate that some online banking applications are still using the insecure SSLv2. Customer care staff of the banks involved have even recommended to users of ours, who have experienced problems with their applications because of Dr.Web, that they uninstall the anti-virus—something that would severely endanger the funds of their own customers.
Doctor Web recommends that insecure applications be updated. If no updates are available, users can continue using them by going into the Dr.Web settings and enabling the use of an insecure protocol.
If you choose to use an online banking application, ask the bank whether it uses a secure connection, and if it utilises SSLv2 or SSLv3, reject the use of the application.
Currently, the recommended protocols include TLS v.1 and later.
Read the original: https://news.drweb.com/show/?i=11179&c=5&lng=en&p=0