Friday, November 6, 2015

Checking SSL/TLS versions for audit purposes

SSL and TLS have long been thought as secure, but several problems have exposed SSL to be insecure. The PCI standard will begin flagging all versions of SSL and TLS 1.0 as insecure in June 2016 (link here). It makes sense as TLS 1.0 was released in 1999.

Many have found the hard way that securing servers will break some things. I learned about Windows server OS support for each cipher by looking at the table in this MSDN article. You can see that when securing servers, the client portion is very important - it's what's holding back many websites from removing old version support. If your legacy application still has legacy clients and you can't modernize both, you will not be able to pass industry certifications, and you will have to fix both.

You can easily check TLS version in most browsers by clicking on the lock icon and fishing a bit - I use Chrome and Mozilla and found the TLS version very easily. 

However my good friend @edmsanchez13 pointed out that McAfee has a free tool called SSLSmart that checks SSL and TLS 1.0 ciphers. This tool is very useful, since these are the problematic versions, and because this is free and can be run by you against internal servers, while testing several ciphers in batch mode. I recommend it for when you are in need of verifying how your internal servers are acting.

It is curious to see how certain websites handle the issue. For example, uses a HTTP 301 message - moved permanently for some of the older ciphers. The included PDF with SSL Smart tool also explains why sometimes scanning solutions give false positives. For example, which is a public and free SSL analyzer, ranks Google with a B in several options, but the problems it finds correspond to the responses that give a HTTP 301 message. It's also interesting to see the Recent Best and Recent Worst list to see good and bad examples for your testing and learning.

I leave here other two good links i found while testing and making this post

  • A Mozilla security engineer named Julien Vehent made an analysis of the web's top million websites - his findings here
  • tests the client (browser in my case)

No comments:

Post a Comment