Jun 30, 2020

Get Ready For An Epic SSL Certificate Maintenance Shitstorm


According to ZDNet, Apple made the executive decision back in February of this year to limit the default lifespan of SSL/TLS certificates to 398 days.
A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates.
Google has opted in to join Apple as well according to The SSL Store:
It’s no secret, Google has been championing shorter certificate validity within the CA/Browser Forum (CA/B Forum) for years. At the end of last week, a well-known voice within the forum posted on Twitter that the tech giant will be making the switch to a one year validity period of 398 days for SSL/TLS certificates starting Sept. 1. This might sound like a big move, but it doesn’t actually change anything because it was already happening.
Mozilla will be jumping on the bandwagon on August 31st according to a Git Hub post.

What will this mean? Well, for one, if you host a website that has a two year SSL certificate, all major browser are going to start displaying an error warning users that your certificate is valid for too long.

I actually agree, this will probably make things more secure. The more frequently you swap your encryption keys, the better the security. I'm already doing it with LetsEncrypt on my personal email server because LetsEncrypt makes you renew every 3 months! LetsEncrypt makes renewal easy at least with the help of automation scripts.

Swapping out certificates every year in other places can be a pain if you are using other 3rd party CA's, and manually renew your certificates. It's even more of a pain when you have clients that use Java applications and manually trust their 3rd party keys for additional stringent security. That means we have to swap our keys out probably every 200 days now at my day job so we can send the keys to clients ahead of time for testing and validation...

Basically an SSL Certificate Maintenance Shitstorm!

Do you manage SSL certificates in your environment? How are you handling it? Let us know in the comments!

Jun 12, 2020

An SSL Certificate is An SSL Certificate is An SSL Certificate

You are probably looking at the title of this post and scratching your head right about now. Allow me to try to explain my thought process here. Many moons ago I worked as a Systems Engineer for a SharePoint consulting company. It was the first place I started messing with SSL certificates for encryption. Granted, I didn't know as much about them as I do now, but I had the basics down.

One thing we did there was purchase GoDaddy SSL certificates because at the time, they were probably the cheapest 3rd party certificates out there. Shortly after I started buying them, I found the now defunct StartSSL which issued free 3rd party SSL certificates that were trusted by browsers.

It was around this time I realized that as long as a browser trusted a certificate, it really didn't matter which 3rd party certificate company you went with. I mean, the technology is the same. A certificate really is just a text file with random characters in it that is matched by another key file that is also just a text file with random characters in it. There is really nothing inherently special about a Verisign certificate vs a DigiCert certificate vs a Sectigo certificate... Basically an SSL certificate is an SSL certificate is an SSL certificate. Do you follow me?

One might have argued back then that an EV, or Extended Validation certificate is a little more special, but even then all certificate authorities offer those. Some cheaper than others, and again my point is proven.

Well I just stumbled on an article that backs my original thought on this, and goes a little bit further by arguing that even EV certificates are kind of unnecessary now, and you might as well just go with a free 3rd party certificate authority like Lets Encrypt!


...as of Autumn 2018 browsers are increasingly hiding the only information that distinguishes between these two types of certificates. It is fully possible some users will never know a site has an EV certificate in use. Google and Apple have already shown that they can and will stop showing the added benefits of higher cost security certificates, and most others will surely follow. Moreover, most users do not care or know the difference between a DV or EV certificate. To most people a site either has the padlock, or it does not, and if an EV certificate is visible, they often find the additional information confusing.

So then, why pay for these fancy certificates? Some certificate providers will offer a “warranty” on a certificate purchase. Cutting to the chase, it is not clear what value these warranties provide. There is no record of anyone using a certificate warranty, and there may not ever be. As the benefits of the higher end certificates continue to dwindle into irrelevance, all that remains is the normal, trusted, DV certificates that throw up the padlock and say it has a secure connection. This lock could be green, or grey, or whatever color the browser chooses to display. The fact of the matter is that the browser controls how the certificate displays to the user, not the certificate.

What do you think about this? Do you agree with Paradox Labs? Let us know what you think in the comments!


Jun 11, 2020

SSL Grades For The Top 6 Social Media Sites

I've been keenly aware of SSL/TLS settings on web servers for the past 9 years. Mainly because securing websites has been a big part of my job, and part of that is keeping up to date with the latest threats to SSL/TLS encryption in websites. Periodically PCI/DSS standards change which means I have to scramble to implement improved SSL/TLS standards for the websites owned by the company I work for. One of the tools I use to test my own servers is SSL Labs by Qualsys

Those of you that have been following my blog for years know about it since I write about it periodically.

Well, one of the things I like to do is check other websites and see how their SSL/TLS stands up. Are they secure enough? Should I trust them? You get the picture.

I decided to test 6 of the top social media sites out there to see if they cut the mustard! Here they are:

Twitter

Coming in at the best secured social media site with a beautiful A+ rating is Twitter! I can't complain about that at all. Well done!




LinkedIn

The social media site for professionals did fairly well with an A rating. They got dinged a little for not having DNS CAA settings which in short tells browsers which SSL certificates are authorized for use by that particular domain. It is a really easy to setup, so there isn't a good reason not to have that done. They also got dinged for weak ciphers. Still though, not a bad rating.




Facebook

Probably the king of social media, and often slammed for their draconian censorship is Facebook with a trash rating of B! They were capped at a B because they still support TLS 1.0 and 1.1 which was depreciated by PCI/DSS a couple of years ago. They also accept the RC4 cipher which is garbage. More on that after the rest of the ratings.



Snapchat

The app used by teenage girls and basic bitches on Tinder! I've said it before, your animal Snapchat dating profile picture isn't cute! Knock that shit off! Anyway, they were capped at a B rating too! At least they turned off RC4...




Instagram

Instagram is a favorite of mine. I like what their filters can do for some of the pictures I take while out hiking, or spending time with friends and family. Still though, their encryption is't great since they were capped at a B as well. That isn't very surprising since they were bought out by Facebook.




TikTok

Finally we have TikTok. My daughter has me addicted to this silly video social media app! I wasn't going to use it but she kept texting me various videos and I was tired of opening up the links in my phone's browser. Now I love it! Still though, their security sucks as bad as Facebook with a B rating. At least they don't support RC4!






Why SSL Labs hates TLS 1.0 and TLS 1.1

Per Qualsys:

Best practices outlined in RFC-7525 give reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1. PCI-DSS recommends users to switch from protocol TLS 1.0 and adopt protocol TLS 1.2+.

Why RC4 Sucks

Again, from Qualsys:

RC4 has long been considered problematic, but until very recently there was no known way to exploit the weaknesses. After the BEAST attack was disclosed in 2011, we—grudgingly—started using RC4 in order to avoid the vulnerable CBC suites in TLS 1.0 and earlier. This caused the usage of RC4 to increase, and some say that it now accounts for about 50% of all TLS traffic.

Last week, a group of researchers (Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt) announced significant advancements in the attacks against RC4, unveiling new weaknesses as well as new methods to exploit them. Matthew Green has a great overview on his blog, and here are the slides from the talk where the new issues were announced.
The funniest part about some of these sites still supporting RC4 is that the above blog quote from Qualsys was written in 2013! There is no good reason for anyone to still be using it at this point!

Conclusion

So should you stop enjoying these social media sites because the ratings aren't all A+? Not really. Most of these servers support strong ciphers in preferred order. That means as long as you are using updated applications and modern browsers, you are most likely connecting using the strongest ciphers and TLS versions offered by the servers. You will be fine. On top of that, most of the info you put out on social media isn't that secure anyway.

This is more of an indictment of their security and systems engineers, and I'm calling them out to do better and try harder. It's not that difficult to get at least an A rating! It also pushes your customers to improve their security as well by not allowing them to keep using legacy systems! If they want to connect to your service, they need to use modern browsers!

Your thoughts?

What do you think about this? Let us know in the comments!



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam