Cool Tools 24:

A couple months back, the security team at a client reported that they used a scanner to generate a security report of their SSL-enabled portal, and the results included this little gem:

The SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or “BEAST”.

I knew we were using SSL at the site, and because of that, we were infinitely more secure than our peers who weren’t using SSL. But, I never really focused on the fact that SSL is a complicated “beast”, and there are different grades of security. Enter Qualys SSL Labs’ Analysis Tool, which taught me more than I’d ever known about SSL certificates. It started by giving us a big fat “F”:


A full analysis of WHY we were getting an “F” is beyond the scope of this post, but if you’re using SSL, I definitely suggest you check out SSL Labs to see how secure you are. The links and recommendations by SSL Lab’s report are phenomenal and it didn’t take much time at all to resolve all of the discovered issues.

In our case, two major things were counting against us:
Certificate Chain
We didn’t have the complete certificate chain installed. Using SSL Shopper’s SSL Checker, we could see where the chain was broken. Because it was a Verisign certificate, the path led use to Verisign’s Certificate Checker. The below screen shot shows a GoDaddy certificate with the proper chain installed.

Weak Ciphers
Apparently not all SSL is created equally; there are different ciphers that can be used for encryption and transport. And because we were using the default BigIP configuration, we were supporting legacy ciphers that dated back to the IE6 days. By tweaking the Cipher configuration to exclude the less-secure ciphers, we were able to get that SSL Labs report back up to an “A” where it belongs…


Tags: , ,

Leave a Reply