The EFF’s Decentralized SSL Observatory turned up 1,600 certificates that should have been rejected but instead passed browser checks because they were manipulated by Komodia’s SSL Digester interception module.
Tag Archives: SSL
PrivDog Adware Poses Bigger Risk Than Superfish
Another shady piece of adware called PrivDog has been unearthed with a similar Superfish-type vulnerability that breaks SSL connections.
Komodia Website Under DDoS Attack
Komodia.com, home of the SSL module at the heart of the Superfish scandal, is offline because of a DDoS attack.
Kaminsky: DNS Insecurity Isn’t Coincidence, it’s Consequence
Dan Kaminsky insisted that there’s a cost to doing security crypto through DNS at Kaspersky Lab’s 2015 Security Analyst Summit Monday.
Google Trades Technicality for Brevity With New SSL Warning
Google and the University of Pennsylvania performed a study intended to determine the effect of best practices on the efficacy of SSL browser warnings.
GE Ethernet Switches Have Hard-Coded SSL Key
There is a hard-coded private SSL key present in a number of hardened, managed Ethernet switches made by GE and designed for use in industrial and transportation systems. Researchers discovered that an attacker could extract the key from the firmware remotely. The vulnerability exists in a number of GE Ethernet switches, including the GE Multilink […]
2014: A Specious Odyssey
The wonderful and terrifying thing about the security world is that things never stay calm for long. As soon as you think you have a chance to catch your breath, someone breaks something and it’s time to scramble again. In 2014, those small moments of downtime were hard to come by.
Researchers Say POODLE Attack Affects Some TLS Implementations
The POODLE attack against SSLv3 that researchers from Google revealed earlier this year also affects some implementations of TLS and vendors now are scrambling to release patches for gear affected by the vulnerability. Soon after the POODLE attack was disclosed in October, researchers began looking into whether it might affect protocols other than SSLv3. It quickly […]
Disabling SSLv3 on the client and server
Recently, some Internet search engines announced that they would prefer websites secured with encryption over those that were not. Of course there are other reasons why securing your website with encryption is beneficial. Protecting authentication credentials, mitigating the use of cookies as a means of tracking and allowing access, providing privacy of your users, and authenticating your own server thus protecting the information you are trying to convey to your users. And while setting up and using encryption on a webserver can be trivial, doing it properly might take a few additional minutes.
Red Hat strives to ship sane defaults that allow both security and availability. Depending on your clients a more stringent or lax configuration may be desirable. Red Hat Support provides both written documentation as well as a friendly person that can help make sense of it all. Inevitably, it is the responsibility of the system owner to secure the systems they host.
Good cryptographic protocols
Protocols are the basis for all cryptography and provide the instructions for implementing ciphers and using certificates. In the asymmetric, or public key, encryption world the protocols are all based off of the Secure Sockets Layer, or SSL, protocol. SSL has come along way since its initial release in 1995. Development has moved relatively quickly and the latest version, Transport Layer Security version 1.2 (TLS 1.2), is now the standard that all new software should be supporting.
Unfortunately some of the software found on the Internet still supports or even requires older versions of the SSL protocol. These older protocols are showing their age and are starting to fail. The most recent example is the POODLE vulnerability which showed how weak SSL 3.0 really is.
In response to the weakened protocol Red Hat has provided advice to disable SSL 3.0 from its products, and help its customers implement the best available cryptography. This is seen in products from Apache httpd to Mozilla Firefox. Because SSL 3.0 is quickly approaching its twentieth birthday it’s probably best to move on to newer and better options.
Of course the protocol can’t fix everything if you’re using bad ciphers.
Good cryptographic ciphers
Cryptographic ciphers are just as important to protect your information. Weak ciphers, like RC4, are still used on the Internet today even though better and more efficient ciphers are available. Unfortunately the recommendations change frequently. What was suggested just a few months ago may no longer be good choices today. As more work goes into researching the available ciphers weaknesses are discovered.
Fortunately there are resources available to help you stay up to date. Mozilla provides recommended cipher choices that are updated regularly. Broken down into three categories, system owners can determine which configuration best meets their needs.
Of course the cipher can’t fix everything if your certificate are not secure.
Certificates
Certificates are what authenticate your server to your users. If an attacker can spoof your certificate they can intercept all traffic going between your server and users. It’s important to protect your keys and certificates once they have been generated. Using a hardware security module (HSM) to store your certificates is a great idea. Using a reputable certificate authority is equally important.
Clients
Most clients that support SSL/TLS encryption automatically try to negotiate the latest version. We found with the POODLE attack that http clients, such as Firefox, could be downgraded to a weak protocol like SSL 3.0. Because of this many server owners went ahead and disabled SSL 3.0 to prevent the downgrade attack from affecting their users. Mozilla has, with their latest version of Firefox, disabled SSL 3.0 by default (although it can be re-enabled for legacy support). Now users are protected even though server owners may be lax in their security (although they are still at the mercy of the server’s cipher and protocol choices).
Much of the work has already been done behind the scenes and in the development of the software that is used to serve up websites as well as consume the data that comes from these servers. The final step is for system owners to implement the technology that is available. While a healthy understanding of cryptography and public key infrastructure is good, it is not necessary to properly implement good cryptographic solutions. What is important is protecting your data and that of your users. Trust is built during every interaction and your website it usually a large part of that interaction.
Google Removes SSLv3 Fallback Support From Chrome
Google has released Chrome 39, fixing 42 security vulnerabilities and removing support for the fallback to SSLv3, the component that was the target of the POODLE attack revealed last month. When the POODLE attack was disclosed by several Google researchers in October, the company said that it had added a change to Chrome that would […]