Elite Buyer

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 10 October 2012

Insecure SSL and How PCI gets it right

Posted on 11:28 by Unknown

Insecure SSL and How PCI “Nearly” gets it Right


Nearly every assessment project we do we see insecure ciphers. Unfortunately, many people see SSL and cryptography as a ‘voodoo art’ that mere mortals can not tackle, or they just assume that the default install of the web server will set it up just fine.
It would seem logical if the data transmitted to and from your site is important enough to encrypt, then you might as well do it properly. Afterall, large web sites don’t use encryption just for the fun of it, the mathematics required to undertake these cryptographic functions on a large scale requires significantly more CPU power, often including accelerator cards or dedicated SSL Accelerator appliances. This, of course, dramatically increases expense and infrastructure complexity, when comparing an SSL page to its non-encrypted counterpart.
Background
As some background lets define what exactly is an “insecure SSL Cipher”. For the sake of simplicity, it is probably best broken into two categories:
1. Insecure Cryptography. This is where the keys, signatures, and hashes that secure the data are weak and can be broken within a reasonable amount of time. Back in the mid-90′s, ‘export-grade’ encryption that moved from 40bit to 56bit in strength was really thought to be ok for general consumer transactions. It was generally thought to be strong enough to keep honest people out, and dishonest people would have to go through quite a bit of number crunching to break the keys. But in 1999, the Electronic Frontier Foundation (EFF) and distributed.net rocked the world and cracked a 56bit key in just 22hrs. Recent advances in video card processors and interfaces now makes the Graphics Processing Unit (GPU) an extremely fast and accessible math processor that is rapidly reducing the time it takes to crack passwords and of course cryptography of all sorts. For example, some software claim statistics like 200 million attempts per second at cracking md5. It is now generally recognized that keys should be 128bit and above in key length. Of course this is a generalization since each cipher’s strength varies even at the same key-length, but it’s a good rule of thumb.
2. Insecure Protocols. The protocol is essentially how the cryptography is used to secure the data. The protocol uses cryptography (keys, certificates, and hashes) to create and maintain a secure connection between the user and the server. If the protocol can be subverted, it can allow an attacker to tamper with the encryption mechanisms to reduce or eliminate it altogether. SSL version 2 is a great example of an insecure protocol, with quite a list of problems that would keep a mathematician awake at night.
The fix for the above problems is of course to disable the insecure ciphers and protocols at the server level. When a secure connection is being established, the server and the client (eg. the user’s browser) negotiate the protocol and encryption that will be used. If the server does not allow the insecure mechanisms then the client can not possibly setup an ‘insecure’ connection. Everyone should disable SSLv2 and all ciphers under 128bit.
You might be wondering how many people rely on SSLv2 for their transactions. Just how many people need to use SSLv2? There doesn’t seem to be a definitive resource that lists all the browsers ever created and what versions of SSL they support. However, doing some research I stumbled upon a site from the “Massachusetts Registry of Motor Vehicles” that really is good on several levels. This site does not appear to allow SSLv2 or insecure ciphers. It also defines what browsers will work with the site and tells the users how to set their browser settings if they do have problems. This site says that it will support Internet Explorer (IE) version 4 and above. This version of IE was released in 1997. Therefore only IE versions released before 1997 would not work with their site; that would require a user not to have updated their browser in nearly 12 years!
So how does this relate to PCI?
Well up until November 2008 there was quite a bit of ‘grey’ area in the wording of SSL requirements in the PCI standards (section 4.1). As with all standards, they are often quite general and open for interpretation. You might be surprised to know that there are some companies out there that want to do as little as possible to meet the certification criteria rather then do the “right thing.” Disabling insecure ciphers and SSLv2 seems easy, and indeed it is, but some companies would rather argue ad-infinitum that they might block one legitimate user from using the site instead of making the site more secure for everyone else to use. It would be much better to guide and nudge that one user to better protect themselves – a user typically has no idea what goes on behind the scenes and wouldn’t even know they are unsafe.
To combat this argument, in November 2008 (PCI Assessor Update Nov’08p1), the PCI council came out and said quite specifically that SSLv2 would create a failure in PCI compliance if it was used to transmit confidential information. To my absolute amazement they did not go so far as to say SSLv2 must be disabled altogether. They leave an ‘out’ so that supposedly an insecure browser can initiate an SSLv2 session so the user can receive an ‘error’ and be told to upgrade their browser. This is quite ridiculous because now the PCI assessor needs to look at the application business logic to ensure this mechanism is indeed in place, and is in place properly. The biggest real problem is that applications change. One small slip up and it is quite possible that a developer inadvertently drops the browser check and SSLv2 is enabled again for the entire site. The best way to solve the problem is never have SSLv2 enabled and to redirect from a non-encrypted site to the ‘secure site’. Use the non-encrypted site to provide directions in case a user needs help with their browser, just as MA-RMV did above.
In essence the PCI council “nearly got it right”. I have been considering why the council would allow SSLv2 just to throw an error to a user and I just can’t think of a valid use case. So this one ruling not only theoretically allows implementation of insecure protocols – since it doesn’t explicitly disallow them – but they also make it much more difficult for an assessor to determine just how SSLv2 is being implemented and caught.
If every single website on the Internet turned off SSLv2 right now, the world would be a slightly better place, and this discussion would end – as every user would have no choice but to fix their browser. Sometimes users need a little motivation to change; 12 years really is a long time not to have updated a browser.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in 128bit, compliance, pci, scan, ssl cipher, ssl2 | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Best 100 Most Interesting Blogs and Websites of 2013
    The 100 Best, Most Interesting Blogs and Websites of 2013   by Shaw Adli Google Note:  If you tweet or share this post, please include the #...
  • Best Music Apps
    15 of the best music apps Lanyard Lanyard is a beautiful way to keep and share memories of the gigs you’ve been to. This Web app (native...
  • Best Hard Drive Disk Degragmentation Tools Defrag (Computer Support Torrance)
    Five Best Disk Defragmentation Tools 562-366-4177 elitebuyer.com Defragmenting your hard drive regularly is an important part of regular h...
  • Essential Outlook 2010 Tips to improve your email
    Understand How Calendar Preview Appears in Meeting Requests When you e-mail a meeting request to a co-worker or client, if the recipient us...
  • How To Transfer Contact to iphone 5 from 4s/4 iphone
    How to Transfer Contacts to iPhone 5, iOS 6 from iPhone 4S/4/3G/3GS   iPhone     Just purchased the new iPhone 5 and want t...
  • Archiving Outlook Manually
    Microsoft Office Outlook® 2003 and 2007 In Outlook, archiving is a way to back up or delete old items, such as e-mail messages, appointmen...
  • Learn any Languages Via Subtitles While Watching Movies With LaMP
    A really great way to get good at a foreign language is to watch films that have subtitles in the language you’re learning; this allows yo...
  • Sync iPhone 3g With Google Calendar
    NuevaSync allows direct, over-the-air, native synchronization of certain smart phones and PDA devices with public PIM, and calendaring servi...
  • How to boot Windows 7 from a USB Flash Drive Step By Step
    Step by Step on how to install Windows 7 from a USB Flash Drive. Download Diskpart form Microsoft site Run diskpart Type : List disk You sho...
  • How To flush DNS on you desktop computer
    If you get a Ip conflict on your network you need to flush out the DNS on that systems. n  Microsoft   Windows , you can use the command  ip...

Categories

  • -6123
  • 100
  • 101 most useful
  • 128bit
  • 15 Android widgets that will make iPhone users jealous
  • 20 sites to promote your web site
  • 2007
  • 2010
  • 3gs
  • 4gs
  • 562-366-4177
  • 5g
  • 5gs
  • 6123
  • 64bit
  • 90505
  • 90732
  • 90804
  • 90813
  • access
  • activex
  • adli
  • alert
  • apps
  • archive
  • array
  • attachments
  • audio
  • autocomplete
  • backtoschool
  • basic
  • best
  • Best PDF Tools
  • better
  • blogs
  • blue screen
  • bluscreen
  • bmw
  • boot
  • browser
  • browser chooser
  • bsod
  • burn cd
  • burn dvd
  • burn iso
  • ca
  • capture
  • carson
  • ccleaner
  • cd
  • certificate problems
  • changes
  • cheat
  • cis
  • claim
  • classicshell
  • cmb
  • combofix
  • command
  • compaq
  • complex
  • compliance
  • computer
  • computer fix
  • computer help
  • computer upgrade.
  • confugure.
  • connection
  • contacts
  • control panel
  • create
  • creating
  • data
  • data21
  • defrag
  • defraging
  • defragmenting
  • delete
  • deleted
  • delivered
  • dell
  • dentist
  • dentrix
  • desktop
  • desktop vista
  • desktop windows 7
  • desktop windows 8
  • desktp
  • disaster
  • disc
  • disk2vhd
  • doubling
  • download
  • Driver manager
  • dual monitors
  • duplicate
  • dvd
  • easy transfer
  • ebcnetworks
  • efficient
  • elitebuyer
  • email
  • email e-mail
  • emergency
  • emial color code
  • enhancements
  • entrepreneur
  • error
  • expand
  • explorere
  • failure
  • fast
  • fax
  • file
  • file zilla
  • files
  • filesharing
  • filezilla
  • finder
  • firefox
  • firewall
  • fix
  • fix center
  • fixmycomputer
  • folder
  • folders
  • format
  • free
  • freezing
  • ftp
  • gmail
  • google
  • Google sync with iPhone
  • google.
  • greeting
  • hard drive
  • have
  • help
  • help fix computer
  • hep
  • High Ranking in Search engines
  • hot Corner
  • how to
  • howto
  • hp
  • hyperv
  • icloud
  • ie8
  • ie9
  • improve
  • inbox
  • indexing
  • insurance
  • internet
  • Internet Explorer Windows XP Professional
  • invalid
  • ios
  • iphone
  • Iphone to google Sync
  • iphone5
  • iso
  • it
  • jpg
  • junk
  • kids
  • languages
  • laptop
  • laserjet
  • late
  • learn
  • lesson
  • linux
  • listary
  • long beach
  • long beach computer
  • long beach laptop
  • longbeach
  • los angeles
  • mac
  • malicious
  • malware
  • malwarebytes
  • management
  • managment
  • marketing
  • message
  • micorosft
  • micorosoft
  • microsoft
  • microsoft office
  • microsoft office 2010
  • mobile
  • move
  • movie
  • multi boot
  • multi-user
  • mutliboot
  • network
  • network support
  • networking
  • new
  • newspaper websites First Click free access to all the news articles without registering or subscribing
  • nk2
  • office
  • office 2007
  • office 2010
  • office xp
  • office2007
  • office2010
  • Online
  • operating
  • option
  • orignianl
  • outllok2010
  • outloo
  • outlook
  • outlook 2000
  • outlook 2003
  • outlook 2007
  • outlook 2010
  • Outlook it disappears from the task bar
  • outlook2007
  • outlook2010
  • panning
  • password
  • pc
  • pc repair
  • pci
  • PDF Password Remover Mac
  • pdf printer.
  • PDF Unlocker for Mac
  • phone
  • pictures
  • pin
  • Pismo
  • pocket
  • point
  • portable
  • precisionamc
  • print spooler
  • printer
  • productivity
  • profile
  • program
  • prompt
  • putty
  • QTTabBar
  • quick books
  • Quick Cliq
  • quickbooks
  • range
  • recover
  • recovery
  • remote
  • removal
  • repair
  • replacment
  • restore
  • reverting
  • review of Adobe Acrobat
  • review of Foxit
  • review of PDF-XChange
  • roadkil
  • router
  • run.
  • safe mode.
  • san pedro
  • scan
  • schedule
  • school
  • script
  • scripts
  • search
  • searching
  • second monitor
  • sender
  • server
  • server 2003
  • server 2008
  • server 2008.
  • service
  • setup
  • share
  • sharing
  • shaw
  • shoot
  • site
  • slow
  • smb
  • social
  • software
  • spam
  • spamfilter
  • speed
  • spooler
  • ssd
  • ssd hard drive
  • ssl
  • ssl cipher
  • ssl2
  • start menu
  • statup
  • stellar phoenix
  • step
  • step by step
  • stream
  • support
  • support.
  • sync
  • system
  • system doctor 2014
  • systems
  • tamim
  • Taskbar
  • tech
  • technet
  • techsupport
  • this copy of windows must be activated with microsoft before you can log on.
  • tip
  • tips
  • tool
  • torrance
  • transfer
  • trick long beach
  • troubleshoot
  • tweak
  • typing
  • typist
  • unc
  • understand
  • uninstall
  • updates
  • upgrade 90802
  • utilities
  • verify
  • video
  • virtual
  • virus
  • vist
  • vista
  • visual guide
  • voice
  • warning
  • webcam
  • website
  • websites
  • wet
  • widgets
  • widnows7
  • widows
  • window 7
  • window 7 libraries
  • window 7 pro
  • window 8
  • window7
  • window8
  • windoweasytransfer
  • windows
  • windows 7
  • windows 8
  • windows vista
  • windows xp
  • Windows XP Professional
  • Windows XP SP3
  • windows7
  • windows8
  • windwos7
  • wireless
  • Word 2007 ie8
  • xp
  • XP Recovery Disc
  • XP tech support.
  • Yardi

Blog Archive

  • ►  2013 (16)
    • ►  November (1)
    • ►  October (1)
    • ►  July (3)
    • ►  June (5)
    • ►  February (2)
    • ►  January (4)
  • ▼  2012 (63)
    • ►  December (11)
    • ►  November (3)
    • ▼  October (2)
      • Five portable antivirus and antimalware tools to c...
      • Insecure SSL and How PCI gets it right
    • ►  September (3)
    • ►  August (2)
    • ►  July (5)
    • ►  June (4)
    • ►  May (2)
    • ►  April (4)
    • ►  March (5)
    • ►  February (18)
    • ►  January (4)
  • ►  2011 (9)
    • ►  December (3)
    • ►  November (1)
    • ►  September (1)
    • ►  May (1)
    • ►  April (1)
    • ►  February (2)
  • ►  2010 (10)
    • ►  December (5)
    • ►  November (1)
    • ►  August (1)
    • ►  February (2)
    • ►  January (1)
  • ►  2009 (10)
    • ►  October (2)
    • ►  August (1)
    • ►  May (2)
    • ►  April (3)
    • ►  March (1)
    • ►  January (1)
  • ►  2008 (1)
    • ►  December (1)
Powered by Blogger.

About Me

Unknown
View my complete profile