AnsweredAssumed Answered

Influence on Adobe Flash SSL protocol version

Question asked by j-mailor on Nov 4, 2014
Latest reply on Nov 5, 2014 by M K

Hi,

just for fun I did test of www.ted.com web page. It looks they have some kind of load balancing, because of getting different IP addresses and different results in ssllabs.com/ssltest/.

 

One of the tests show lets say OK security of www server, grade B. On protocols there is clear SSLv3 and SSLv2 are disabled.

 

test.png

 

Now play a video for example: https://www.ted.com/talks/myriam_sidibe_the_simple_power_of_hand_washing#t-142583 - you see there is httpS in address. I opened Wireshark to monitor network traffic. Web site is using Adobe Flash and as seen from network analytics program it looks like server redirects all flash content to another server (if video is stopped, main page refreshed and restart video, a new server is provided - so it looks like some load balancing in Flash serving server too). But what surprised me it is a SSL protocol witch is SSLv2. We know from security point of view this protocol is broken for years. It also surprises me that someone is providing an encryption and doing it so unprofessional.

test2.png

 

Also on my browser Firefox 33 SSLv2 protocol is not available anymore. It looks like Adobe Flash is having some kind of its own implementation independent from browser official SSL support. Is there any way to control what kind of SSL version is used by Adobe Flash or any other browser plugins like Java etc?

Thanks

Outcomes