SSL Labs is great for identifying weak cipher suites. But how do I know how many clients I affect if I remove them?
Is there a way to log on the server side which TLS version and cipher suite was being used for each connection?
Where do I look? Is this information available to the server software, or is it only available further down in the network stack?
The specifics
The case that triggered this question is a BI tool (Qlik Sense) behind an Azure Gateway.
But when I thought about it, I can't remember seeing this kind of information in any other systems either.
To turn the question around:
If I follow SSL Labs recommendation, and only allow TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
What systems do I then exclude?
(How do I know if there are any at all, or lots of them?)
Apology
Sorry for a very open ended question. But I really don't know where to start looking. Please let me know some key issues, and I can rephrase the question to more specific.
Related
I am looking for advice on how to best implement an M2M TLS-connection. different from "normal" web traffic, we control both client and server, and thus can nail down the cipher string to exactly one option. How do I go about setting up the client and server?
A) If there are no cipher string options, I can greatly simplify the code and remove all branches - which helps to avoid bugs and security flaws. On the other hand, we have to mess with the code.
B) Use standard client libraries and server software, and minimize the configuration to the one exact cipher we use.
I have never implemented TLS myself, and I have not yet attempted a minimal TLS configuration, either. Which one you think is easier to get right?
Thanks very much for your opinions!
Uli
I have never implemented TLS myself, and I have not yet attempted a minimal TLS configuration, either. Which one you think is easier to get right?
If you look at the problems with the different TLS stacks last year (all major stacks had serious bugs) you can either assume that the developers of these stacks are all stupid or that writing a secure stack is hard. I think it is the last option and since you have no experience with TLS yet I predict that any stack you write will be even more buggy than the existing ones. So you better use an existing stack.
Wondering if ReSTful webservice is really the answer in my case of Enterprise application where there are some security concerns such as avoiding man-in-the-middle attacks, ensuring that a trusted client is connecting, client being sure that it is indeed talking to the real server etc.
Is HTTPS the solution? Have read some concerns being raised about its adequacy and fitment, although with a not-so-strong background in IT/application security, don't quite understand, why so!
I see ReST being talked (/ raved) about, and being projected as The-thing, and do see its adoption picking up, by can't seem to understand why the security thing isn't such a big concern, and if it is, what can be done about it.
If you are really serious about securing your service and avoiding man-in-the-middle attacks you should issue certificates to your clients and only accept requests that are signed with those certificates. It is more work for you and for your clients, but in an Enterprise setting, the extra effort may be worth it. It is definitely an option that is worth looking into.
Out of the box you are not going to have any type of message level security, and you would need to leverage HTTPS to do transport level security.
I have seen people attempt to use signed atom feeds, but its nothing to the level of the WS-* stack that comes with SOAP.
I consider myself to be quite a good programmer but I know very little about sever administration. I'm sorry if these questions are noobish but I would really appreciate some advice or links on steps I can take to make this more secure.
I've completed a project for a client that involves storing some very sensitive information, ie personal details of big donors. From a programming perspective it's protected using user authentication.
I don't mind spending some money if it means the info will be more secure, what other steps should I take?
Can the database be encrypted some how so that even if the server is compromised people can't just dump the mysqldb and have everything?
Is it worth purchasing an ssl certificate?
The site is currently hosted on a personal hosting plan with a reasonably trustworthy host. Would a virtual private server be more secure? Are there special hosts I can use that take additional steps to protect info (ie would it be more secure on amazon s3)?
As a side note to the specific question, I would recommend reading some books on computer/programming security. Some good ones are 19 Deadly Sins of Software Security and Writing Solid Code.
You don’t need to encrypt the database itself, just encrypt the data before storing it. (Make sure to use real, cryptographically-secure algorithms instead of making one up yourself.)
Using SSL is definitely an important step if you want to avoid MITM attacks or snooping. A certificate allows you to use SSL without having to take extra steps like installing a self-signed one on each of the client systems (not to mention other benefits like revocation of compromised certs and such).
It depends on just how sensitive the information is and how bad leakage would be. You may want to read some reviews of hosts to get an idea of how good the host is. (If possible, sort the reviews ascending by rating and look at the bad reviews to see if they are objective problems that could apply to you and/or have to do with security, or if they are just incidental or specific issues to that reviewer.) As for the “cloud”, you would kind of be taking a chance since real-world security and privacy of it has yet to be determined. Obviously, if you do go with it, you’ll want a notable, trustworthy host like Amazon or Microsoft since they have benefits like accountability and work constantly and quickly to fix any problems.
HTH
Background
Terminals are a compination of hardware and software. Terminal's main responsibility is to
- collect data (with it's sensors)
- process and transmit collected data to data server over the Internet.
The terminal has Internet access either via WLAN or GPRS. Terminal are running embedded Linux.
Things to consider, security perspective
Transmission of collected data over the air to data server.
Remote software updates over the air (is controlled by the data server),
Local software updates
Identification and authentication of terminal and server
What else should be considered in this type of system?
My question is divided in 3 parts.
Firstly, what kind of issues should be thought about when thinking about security with this kind of system.
Secondly, what ciphers, key exchange mechanism and security techniques could be applied in different parts of the answer of the first question.
And lastly, is there any good books/resources available covering this matter. Specifically targeting this type of application area or similar with practical advice on solutions.
I know my questions are little bit out there. I'm familiar with different ciphers (symmetric and asymmetric), but have found particularly difficult to find any pratical guidance in implementing security in real world systems. I hope this questions hits some traffic. I'm sure there are many of us out there facing similar challenges.
I can provide more details, just point me out where more information is required.
The actual important question is the first part of what your question. "What kind of Issues should be thought about." Only you can really determine that, via two tools: A threat model, and a security model.
A threat model is about who is trying to attack the system: Script Kiddies? Skilled Organized Crime Hackers? The evil overlord's government?
A security model describes what you are trying to protect. Should anybody be able to read the data? Should you be able to detect injection of false data?
First come up with a plan on what your requirements are, then look for technical solutions.
There are a few questions (C#, Java) that cover how one might implement automatic updates. It appears initially easy to provide automatic updates, and there are seemingly no good reasons not to provide automatic updates for most software.
However, none appear to cover the security aspects of automatic updates.
How safe are automatic updates now?
How safe should they be?
How safe can they be?
My main issue is that the internet is, for all intents and purposes, a wild west where one cannot assume anything about any data they receive. Automatic updates over the internet appears inherently risky.
A company computer gets infected, spoofs the DNS (only a small percentage of which win), and makes the other company computers believe that the update server for a common application is elsewhere, they download the 'new' application and become infected.
As a developer, what possible attacks are there, and what steps should I take to protect my customers from abuse?
-Adam
With proper use of cryptography your updates can be very safe. Protect the site you distribute your updates from with SSL. Sign all your updates with GPG/PGP or something else, make your clients verify the signature before applying the update. Takes steps to make sure your server and keys are kept extremely secure.
Adequate, is very subjective. What is adequate for a internet game, maybe completely inAdequate for the security system for our nuclear missiles. You have to decide how much potential damage could occur if someone managed to break your security.
The most obvious attack would be an attacker supplying changed binaries through his "evil" update server. So you should ensure that the downloaded data can be verified to originate from you, using a digital signature.
To ensure security, obviously you should avoid distributing the key for the signature. Therefore, you could implement some variation of RSA message signing
Connecting to your update server via SSL can be sufficient, provided your client will refuse to connect if they get an invalid certificate and your server requires negotiating a reasonable level of connection security (and the client also supports that).
However realistically almost anything you do is going to be at least as secure as the route via which your users get the first install of your software anyhow. If your users initially download your installer via plain http, it is too late to start securing things on the updates.
This is also true to some extent even if they get your intial software via https or digitally signed - as most users can easily be persuaded to click OK on almost any security warning they see on that.
there are seemingly no good reasons not to provide automatic updates for most software.
There are good reasons not to force an update.
bug fixes may break code
users may not want to risk breaking production systems that rely on older features