The following sections provide details of the coverage of these three sets of assessments:
- SSL/TLS Vulnerabilities
- Certificate Status
- SSL/TLS Security Enhancements
SSL/TLS Vulnerabilities
The following issues will result in this check being identified as a risk:
Name |
Description |
Solution |
BEAST |
Short for Browser Exploit Against SSL/TLS, BEAST is a browser exploit targeting SSL/TLS. This attack leverages weaknesses in the underlying encryption algorithm to exploit the SSL/TLS protocol. The attack can enable an attacker to decrypt traffic in certain circumstances. |
Primarily this is a client side issue mitigated by ensuring end-users are running a modern and fully patched Web browser that includes protection against the BEAST attack. Major browser vendors have added workarounds to mitigate the attack. Server-side, it is recommended to disable TLS1.0 whenever possible. If no server-side mitigations are found, this issue is considered a 'failing' vulnerability. |
DROWN |
DROWN is a serious vulnerability that affects services that rely on SSL/TLS implementations using SSLv2. DROWN allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key. |
Ensure that you are not using the server private key in any SSLv2 implementation. |
RC4 |
RC4 is a stream cipher which used to be prevalent on the internet. However, it has various issues with the keystream it generates. It was compromised in 2015 by the NOMORE attack. |
Remove RC4 support. |
FREAK |
Factoring RSA Export Keys (FREAK) is a weakness caused by enforcing the cryptographic library to enable what is called EXPORT protocols, a largely historic government requirement relating to exported software libraries resulting in significantly weakened key strengths. |
Disable RSA_EXPORT on the servers by updating software or taking any necessary actions like enabling strong keys in java. |
HEARTBLEED |
Heartbleed is a security bug in the OpenSSL cryptography library. It enables any user to read server memory with little trace. Private keys, user passwords, cookies and tokens can be easily stolen using this vulnerability if they happen to be in memory at the wrong time. |
Update your server cryptographic library, issue a new certificate for the server, and consider informing users who may have had data compromised.", |
TICKETBLEED |
Similar to Heartbleed, Ticketbleed is a vulnerability discovered only in some F5 appliances. Unlike Heartbleed, Ticketbleed enables any user to read limited amount of memory (31 bytes) on the server which still can leak sensitive info but on a much smaller scale. |
Update your appliance software and issue a new certificate for the server. |
Insecure Ciphers / Weak Ciphers |
Weak ciphers increase the likelihood of a cryptographic stream being decrypted. This item is a "fail" item if more than half of the cipher suites are identified to be weak ciphers. |
Use modern cipher suites for new versions of TLS protocol, and for older versions of TLS (TLS1.0) use cipher suites with keys that are 128-bit or larger. If using DH keys, produce your own server DH exchange keys that are larger than 2048 and don’t use any of the well-known DH-Keys. For ECDH refrain from using NSA related curves and instead use new curves such as Bernstein curves.", |
LOGJAM |
Logjam is a vulnerability in the Diffie–Hellman key exchange using 512-bit to 1024-bit keys. |
Use large (more than 2048-bit) newly generated DH exchange keys. Avoid using well known DH keys. Use ECDH whenever possible, but ensure not to use any of the NSA P-XXX curves. |
ROBOT |
ROBOT is the return of a 19-year-old vulnerability allowing RSA decryption and signing operations with the private key of a TLS server. This attack fully breaks the confidentiality of TLS when used with RSA encryption, an attacker can record the data and decrypt it later. |
Update your server or appliance software. Disable any TLS_RSA protocol and use ECDHE protocols instead or DHE protocols with large and self generated DH exchange keys, ensure the TLS library implements RFC 5246 correctly defined here https://tools.ietf.org/html/rfc5246#section-7.4.7.1 |
The following additional issues are identified on an 'informational' basis:
Name | Description | Solution |
BEAST |
Short for Browser Exploit Against SSL/TLS, BEAST is a browser exploit targeting SSL/TLS. This attack leverages weaknesses in the underlying encryption algorithm to exploit the SSL/TLS protocol. The attack can enable an attacker to decrypt traffic in certain circumstances. |
Primarily this is a client side issue mitigated by ensuring end-users are running a modern and fully patched Web browser that includes protection against the BEAST attack. Major browser vendors have added workarounds to mitigate the attack. Server-side, it is recommended to disable TLS1.0 whenever possible. If any server-side mitigations are found, this issue is considered an 'informational' vulnerability. |
BREACH |
Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) is a known-plaintext attack against SSL connections over compressed HTTP based on the CRIME attack technique. |
Disable HTTP compression if possible (however this will have performance implications). If not possible, ensure that appropriate CSP and CSRF tokens are implemented.", |
CRIME |
Compression Ratio Info-leak Made Easy (CRIME) is an attack on any SSL/TLS implementation using TLS-Compression. An attacker can deduce that Session cookie and header data with some effort and Man-In-The-Middle (MiTM) techniques. |
Disable TLS Compression server side and/or ensure end users are running a modern and fully patched Web browser that includes protection against the CRIME attack. |
POODLE |
Padding Oracle On Downgraded Legacy Encryption (POODLE) is a man-in-the-middle exploit which takes advantage of client fallback to SSL 3.0. There is also a variant of this attack based on the incorrect implementation of CBC ciphers in TLS. |
Disable SSLv3. Enable TLS_FALLBACK_SCSV on your server, and update your server software or cryptography library. |
WeakCiphers |
Weak ciphers increase the likelihood of a cryptographic stream being decrypted. This item is "informational" if some, but less than half, of the cipher suites are identified to be weak ciphers. |
Use modern cipher suites for new versions of TLS protocol, and for older versions of TLS (TLS1.0) use cipher suites with keys that are 128-bit or larger. If using DH keys, produce your own server DH exchange keys that are larger than 2048 and don’t use any of the well-known DH-Keys. For ECDH refrain from using NSA related curves and instead use new curves such as Bernstein curves.", |
OpenSSL CCS |
The ChangeCipherSpec (CCS) injection vulnerability is a vulnerability in the OpenSSL library that could allow for a man-in-the-middle (MiTM) attack against an encrypted connection. |
Update your server software or cryptographic library. |
SecureRenegotiate |
Many old cryptographic libraries do not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into SSL/TLS sessions. |
Update your server or appliance software. |
SWEET32 |
SWEET32 is an attack on 64-bit cipher suites allowing successful cryptanalysis of data if a very large data set is sent to your server in the same session.", |
Disable 64-block ciphers like 3DES. If this is not possible, close a TLS session after 200MB or less or renegotiate TLS (which can be technically challenging).", |
Certificate Status
Issue | Brief Summary |
Certificate chain not trusted |
Assessing the integrity of all certificates in the chain. |
Weak Signature |
Identifying signatures derived from SHA-1 or earlier algorithms. |
Short Key Length |
We identify and assess key lengths. |
ECC Curve Prime Constants |
While there is no known weakness in ECC, there are some 'known curves' for which compromising information is available. |
Revocation status not reachable |
If we can't reach the revocation providing service then we can't check the validaty of the certificate. |
Wrong name related to the hostname |
X509 v3 supports multiple common names and/or Subject alternative names. From TLS1.0 common names and alternative names are documented on how they should be implmeneted to define hostname, alternative names and common name, so as to include wildcards to define all sub domains. |
Missing signed certificate timestamp |
As of April 2018 all SSL certificates not only EV, OV or DV certificates are mandated to have a certificate transparency record. |
Blacklisted |
Blacklisted certificates are certificates or CA that have been blacklisted for many reasons like hosting malware or key exposure. |
SSL/TLS security enhancements
DANE (TLSA records) |
The DNS-Based Authentication of Named Entities (DANE) specification introduces the "TLSA" resource record type. TLSA records associate a certificate or a public key of an end-entity or a trusted issuing authority with the corresponding Transport Layer Security (TLS). . |
Downgrade attack prevention supported |
Enabling TLS_FALLBACK_SCSV will prevent some MiTM attack from degrading the connection cipher suites after agrrement. This setting will help prevent attacks like POODLE. |
Forward Secrecy or Perfect Forward Secrecy |
Forward secrecy is done by enabling DHE and ECDHE and prioritizing these Cipher suites over other suites. |
DNS CAA |
DNS CAA records gives a second channel for validating the CA of the certificate, which can be a useful validation mechnism for certificates. |