BROKEN SSL/TLS
CONTEXT
There is no other security protocol as widely used as SSL/TLS, but this does not mean that it's
always deployed correctly. In fact, checking your site against SSL Labs
11
is a wake-up call for
many companies. Additionally, the client side has to build SSL/TLS protections that function
correctly to avoid known vulnerabilities.
VULNERABILITIES IDENTIFICATION & TRACKING
BEAST and Poodle are two recent examples of
SSL/TLS weaknesses. In addition, certificate
naming, chain validation, and protocol issues
can open up man-in-the-middle, information-
disclosure, and broken-authentication
vulnerabilities.
Certificate authorities and key management
systems can be used to shepherd, scale, and
track SSL/TLS configurations.
COUNTERMEASURE(S)
SSL should be replaced with TLS. TLS should be upgraded to the highest level your organization can
support (TLS 1.2). The provisioning, design, implementation and deployment should be carefully
reviewed and tested. The API gateway can play a role as the central choke point for terminating and
validating TLS traffic.
ASSURANCE
Excellent free testing tools exist like SSL Labs scanner, SSLyze, and most vulnerability-
management scanners include checks for SSL/TLS weaknesses. However, most of these are on
the server, so make sure to scan your API clients as well.
08
|
The Curious Case of Broken SSL/TLS
