Hello, welcome to the Wednesday, March 31st, 2021 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and the I'm recording from Jacksonville, Florida.

Jan today took a quick look at Shodan to see what TLS versions are used out there in the wild. And well, the surprising finding here was

that there is still a significant number of outdated servers running, for example, SSL version

3. That was about 7% of servers that showed Ann catalogeded are running SL version 3, and another 1.6% are running SL version 2.

And, well, the latest greatest version of TLS, TLS 1.3 is operating on about a quarter of the servers, according to Shodan.

Now, one thing to keep in mind here is that Shodan does not take into account how popular

these services are.

Shodan actually sort of builds itself a little bit as the search engine for the Internet of

Things.

So a lot of these systems that Shodan discovered here are probably IoT-style devices.

And yes, they tend to be behind the curve on things like SSL, if they even support and have

properly configured SSL in the first place.

But this also kind of spells trouble as browsers are removing these old versions of SSL from their libraries,

because as a result now, users of these devices are no longer able to easily connect to these devices via SSL, typically forcing them to downgrade

to clear text.

And yesterday I mentioned that the NPM Netmask library has issues, how it's handling

octal IP addresses, and that this could lead to security vulnerabilities. Well, no surprise, other languages

have similar issues. A blog post published today looks at the best programming language ever.

Pearl and how its various IP address modules are dealing with this particular problem. And they found a

couple of them, for example, NetNet Mask, NetSider Lite, Net, NetIntyre Util, and others that

are affected by essentially the same problem. In particular, as these libraries are providing simple shortcut

...