We have a web server hosted by a third party running on port 80. They have also enabled SSL but we did not use it. We are just using port 80. Right now, when I do a vulnerability scan, some SSL vulnerabilities are detected and I am concerned that if hackers manage to compromise SSL, would it affect my web server as well.? Thanks.
Asked
Active
Viewed 88 times
1 Answers
2
It depends on the exact vulnerabilities which have been found, but unless there are very specific threats like buffer overflow, code injection, etc. which have been found, the general answer is that if you do not use SSL, then you are not concerned by SSL weaknesses.
SSL goal is to provide communication channel security through confidentiality, integrity and authentication. Generally, SSL threats will try to attack at least one of these points in order to lessen the SSL connection security. This would allow things as deciphering encrypted exchanges, impersonating the SSL server, etc..
But, since you are using HTTP only, then there is no communication channel security used and therefore none to be attacked. So, would SSL port being badly configured with poor cipher suites and poor certificates, this will not affect your HTTP-only service.
WhiteWinterWolf
- 19,082
- 4
- 58
- 104