Feb 14, 2018

How Secure is Your #Bitcoin Exchange's SSL/TLS Implementation?

One thing I have a habit of doing since I work in the IT Security industry myself, is check not only a website's SSL certificate, but I also like to see how well they implemented it. The tool I often use to test this sort of thing is SSL Labs.

You see, not all implementations of SSL are secure. There are obsolete ciphers available. Plus, older implementations of SSL have been found to be vulnerable to various attacks. It's one of the reasons why PCI-DSS is forcing all companies that handle credit card transactions to disable everything except TLS 1.1 and TLS 1.2 in June this year.

I was curious on how well the cryptocurrency exchanges I use for various reasons stacked up. So I decided to test their websites using SSL Labs. Here are the results:


You can view the full report here, but as you can see above, Coinbase did exceptionally well. I also noticed that their SSL Certificate has a 4096 bit public key, the largest of the group I tested.

Binance did a great job as well scoring an A+. You can see the full report here. They did not implement all of the security options that Coinbase did like HTTP Public Key Pinning (HPKP), or implementing a DNS Certification Authority Authorization (CAA) Policy though. Still, their implementation is better than most. Their public key is 2048 bits.

I can't really complain about Changelly either with their A+ rating. You can see their full report here. They too use a 2048 RSA public key.

While still pretty good, it's not perfect. HitBTC only scored an A. You can see the full report here. One thing I noticed was that they use Cloudflare's CDN service, as well as Cloudflare's multi-client SSL certificate. That certificate has a 256 bit ECC key. If you are not familiar with the difference between ECC and RSA, Globalsign says the following:
ECC is able to provide the same cryptographic strength as an RSA-based system with much smaller key sizes. For example, a 256 bit ECC key is equivalent to RSA 3072 bit keys (which are 50% longer than the 2048 bit keys commonly used today). The latest, most secure symmetric algorithms used by TLS (eg. AES) use at least 128 bit keys, so it makes sense that the asymmetric keys provide at least this level of security.
After reviewing all of these, I feel pretty comfortable continuing to do business with these exchanges. Over all, their SSL implementation is pretty damned good compared to some sites out there. All of them still support TLS 1.0 though, so it may be interesting to test them again after PCI-DSS's June 30th deadline to disable it.

What do you think about this? Was there another exchange you wanted me to test? If so, let me know in the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam