Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to news

About the dangers of using online banking applications that rely on the insecure SSLv2 protocol

February 16, 2017

Doctor Web's technical support has received multiple queries from Dr.Web software product users who simultaneously use online banking applications that utilise the insecure SSLv2 protocol. To respond to all those queries and curtail the need for our users to ask such questions in the future, we’ll describe the issue in detail here in this news post.

Currently, because of multiple vulnerabilities in SSLv2, this protocol, as well as the applications that utilise it, is not secure.

Specifically, systems that use the protocol are vulnerable to MITM (man-in-the-middle) attacks as well as attacks that enable intruders to alter the course of data transfers. The MD5 caching routine of SSLv2 has also been compromised and is deprecated.

SSLv2 has been known to be insecure for quite a while. As long ago as 1996, it was superseded by SSLv3, which in turn was also found to be vulnerable (CVE-2014-3566). SSLv2 was officially rated as obsolete in 2011, in accordance with RFC 6176. Because of this, whenever a connection is established via SSLv2, Dr.Web notifies users about the danger.

Dr.Web user support requests clearly indicate that some online banking applications are still using the insecure SSLv2. Customer care staff of the banks involved have even recommended to users of ours, who have experienced problems with their applications because of Dr.Web, that they uninstall the anti-virus—something that would severely endanger the funds of their own customers.

Doctor Web recommends that insecure applications be updated. If no updates are available, users can continue using them by going into the Dr.Web settings and enabling the use of an insecure protocol.

If you choose to use an online banking application, ask the bank whether it uses a secure connection, and if it utilises SSLv2 or SSLv3, reject the use of the application.

Currently, the recommended protocols include TLS v.1 and later.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124