locked
BEAST TLS/SSL Exploit RRS feed

  • Question

  • I've been asked by our security team how the BEAST (“Browser Exploit Against SSL/TLS”) exploit could potentially affect Lync now that it has gotten more press due to researchers (or hackers) demonstrating it.  Based on its description I assume it could affect things like the address book download, content upload, or web services but I have not seen information about its affect on specific applications like Lync.

    We are running Windows 2008 SP2 so it appears by default we are using TLS 1.0 but could enable version 1.1.  My question is if that is done what ramifications could that have for the client?  Has anyone else seen this as a concern or seen anything from Microsoft about it?  I realize this is potentially too far on the paranoid side (real risk versus perceived) but it did come from security... :)

    Thanks.

    • Edited by MacGeever Thursday, September 22, 2011 4:00 PM
    Thursday, September 22, 2011 3:22 PM

Answers

  • Hi MacGeever,

    Can you clear me about your question "if that is done what ramifications could that have for the client"?

    Do you mean the server and client use the different TLS version?

     Hope the following article can help you:

    http://technet.microsoft.com/en-us/library/cc784450(WS.10).aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 26, 2011 9:54 AM
    Moderator
  • I've been asked by our security team how the BEAST (“Browser Exploit Against SSL/TLS”) exploit could potentially affect Lync now that it has gotten more press due to researchers (or hackers) demonstrating it.  Based on its description I assume it could affect things like the address book download, content upload, or web services but I have not seen information about its affect on specific applications like Lync.

    We are running Windows 2008 SP2 so it appears by default we are using TLS 1.0 but could enable version 1.1.  My question is if that is done what ramifications could that have for the client?  Has anyone else seen this as a concern or seen anything from Microsoft about it?  I realize this is potentially too far on the paranoid side (real risk versus perceived) but it did come from security... :)

    Thanks.

     

    Consider financial institutions as your customer, and security topics will never ever looked as too paranoid! Especially after this exploit, it will get harder to convince IT security department, that "Lync is safe, just because it is using certificates". Unfortunately this may not be the case anymore. Lync consultants will need to educate themselves how to answer such difficult questions.

    Miercom delivered a report based on security for Lync in January. They have excessively tested the TLS part of the solution. However I am not sure their test-case list had any similar test for the aforementioned exploit.

    http://www.miercom.com/2011/01/microsoft-lync/

    Saturday, November 5, 2011 3:14 PM

All replies

  • Hi MacGeever,

    Can you clear me about your question "if that is done what ramifications could that have for the client"?

    Do you mean the server and client use the different TLS version?

     Hope the following article can help you:

    http://technet.microsoft.com/en-us/library/cc784450(WS.10).aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 26, 2011 9:54 AM
    Moderator
  • I've been asked by our security team how the BEAST (“Browser Exploit Against SSL/TLS”) exploit could potentially affect Lync now that it has gotten more press due to researchers (or hackers) demonstrating it.  Based on its description I assume it could affect things like the address book download, content upload, or web services but I have not seen information about its affect on specific applications like Lync.

    We are running Windows 2008 SP2 so it appears by default we are using TLS 1.0 but could enable version 1.1.  My question is if that is done what ramifications could that have for the client?  Has anyone else seen this as a concern or seen anything from Microsoft about it?  I realize this is potentially too far on the paranoid side (real risk versus perceived) but it did come from security... :)

    Thanks.

     

    Consider financial institutions as your customer, and security topics will never ever looked as too paranoid! Especially after this exploit, it will get harder to convince IT security department, that "Lync is safe, just because it is using certificates". Unfortunately this may not be the case anymore. Lync consultants will need to educate themselves how to answer such difficult questions.

    Miercom delivered a report based on security for Lync in January. They have excessively tested the TLS part of the solution. However I am not sure their test-case list had any similar test for the aforementioned exploit.

    http://www.miercom.com/2011/01/microsoft-lync/

    Saturday, November 5, 2011 3:14 PM