CategoryInfrastructure

Sooooo SSL and this hosting provider

Sooooo SSL and this hosting provider

I am a fan of the idea of putting SSL all over the place.

But wait! This very site does not even have SSL or serve data over a secure channel.

Well here is my current problem. This particular hosting provider is somewhat behind the times. They do not support users setting up more than one SSL certificate and I host multiple sites with them. I guess I am left with a simple choice here really. Move to a new hosting provider or just accept that even this simple site login is insecure and open to being spied on or stolen.

I hear the skeptics saying “But with Let’s encrypt you can use Subject Alternative Names” and yes, this would solve the problem, but directly link all the sites I host on this server. I do not want to do this. I also know that its not difficult to find out this information, but I do not want to broadcast it with every connection.

I use Let’s Encrypt wherever I can as it is simple to use on just about any OS. I actively use it on my windows servers as well as my Linux servers. Both pretty easy to setup and get going.

 

I do find it disappointing, hhhmmmm, or maybe I have been spoilt with using AWS (Amazon Web Services) and the ease of doing certain things, but in this era of regular data breaches and peoples passwords “hitting the streets” I feel SSL should be offered free by all hosting providers. If not through the tools and control panels then at the very least enable the customers to easily set up and use Let’s Encrypt.

Soo POODLE (SSLv3 vulnerability)

Soo POODLE (SSLv3 vulnerability)

Firstly … really POODLY [https://www.openssl.org/~bodo/ssl-poodle.pdf] after its predesessors are Lucky 13 and BEAST, pitty the name wasnt as kewl. Oh well.

Found by your friendly security peoples at Google [http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html]

What does this mean for you?

Are you on Windows XP, then you are vulnerable. Ok so what does that actually mean?
Well it means that even over SSL (https) your data is not guarenteed secure. This vulnerability means that your information can be stolen right out of your SSL session.

A brief look over some other connection methods (browers etc)
The info below kindly borrowed from https://www.ssllabs.com/ssltest checking a well know site, which shall remain un-named.

Android 2.3.7   No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Android 4.0.4 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Android 4.1.1 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Android 4.2.2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Android 4.3 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Android 4.4.2 TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
BingBot Dec 2013   No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
BingPreview Jun 2014 SSL 3 TLS_RSA_WITH_IDEA_CBC_SHA (0x7)   No FS 128
Chrome 37 / OS X  R TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Firefox 24.2.0 ESR / Win 7 SSL 3 TLS_RSA_WITH_SEED_CBC_SHA (0x96)   No FS 128
Firefox 32 / OS X  R TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Googlebot Jun 2014 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
IE 6 / XP   No FS 1   No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
IE 7 / Vista SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
IE 8 / XP   No FS 1   No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
IE 8-10 / Win 7  R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
IE 11 / Win 7  R TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
IE 11 / Win 8.1  R TLS 1.2 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   No FS 256
IE Mobile 10 / Win Phone 8.0 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
IE Mobile 11 / Win Phone 8.1 TLS 1.2 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   No FS 256
Java 6u45   No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Java 7u25 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Java 8b132 TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
OpenSSL 0.9.8y SSL 3 TLS_RSA_WITH_IDEA_CBC_SHA (0x7)   No FS 128
OpenSSL 1.0.1h TLS 1.2 TLS_RSA_WITH_SEED_CBC_SHA (0x96)   No FS 128
Safari 5.1.9 / OS X 10.6.8 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Safari 6 / iOS 6.0.1  R TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Safari 7 / iOS 7.1  R TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Safari 8 / iOS 8.0 Beta  R TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Safari 6.0.4 / OS X 10.8.4  R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Safari 7 / OS X 10.9  R TLS 1.2 TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS   RC4 128
Yahoo Slurp Jun 2014   No SNI 2 TLS 1.2 TLS_RSA_WITH_SEED_CBC_SHA (0x96)   No FS 128
YandexBot Sep 2014 TLS 1.2 TLS_RSA_WITH_IDEA_CBC_SHA (0x7)   No FS 128
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).

 

Looking over the table above we see alot of information, for me the most interesting being any “No SNI” and of course anything that sals SSL 3.

Since POODLE relates to SSLv3, this means that all those labled “SSL 3” in the report are vulnerable.

So this looks like it is relatively large.
Now before you head off yelling that the sky is falling…

Most modern browsers are able to not use SSLv3 if supported by the server you are connecting to. This of course does not guarentee your safty due to various other possible ways to get your browser to downgrade its connection.

There is loads of info out there already on POODLE so feel free to read over them.

AWS users check out – http://aws.amazon.com/jp/security/security-bulletins/CVE-2014-3566-advisory/

This one has some interesting links, in particular ways you can check your own sites, including the quick https://ssllabs.com/ssltest
http://blog.fox-it.com/2014/10/15/poodle/

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://mattiasgeniar.be/2014/10/15/patch-your-webservers-for-the-sslv3-poodle-vulnerability-cve%C2%AD-2014%C2%AD-3566/

Soo you thought heartbleed was bad, along comes shellshock.

Well it seems that there is a nasty that has recently hit the wire about something being called shellshock.

There is a pretty good article about it at http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

You dont think it affects you?
Think again and think carefuly.

Are you connected to the internet by a modem that is provided by your ISP? Then there is a good chance that it runs some form of *nx type shell under the hood and therefore you could be vulnerable.

Read over the linked article.

Thanks to a collegue of mine, Ian Barry, for bringing this to my attention.

The short version, which is overly simplified is ….
If you have any device that runs a bash shell then you are likly vulnerable.
Most internet enabled devices that are not windows have a chance of running a shell of some sort, not necessarily bash, but do you want to take that chance?
Don’t be nieve and think that you wouldnt be targeted because you a small/home user. You to have valuable information protect it.

Disclaimer: Just because windows does not natively run bash, it can be user installed.

%d bloggers like this: